Highwetneb

**Name of the Vulnerable Software and Affected Versions** OpenRefine versions prior to 3.8.3 **Description** The issue concerns the `/extension/gdata/authorized` endpoint, which includes the `state` GET parameter verbatim in a `<script>` tag in the output without escaping. This allows an attacker to lead or redirect a user to a crafted URL containing JavaScript code, which would then be executed in the victim's browser as if it was part of OpenRefine. The `state` parameter is read from the controller.js file and used in the authorized.vt file without any format checks or verification that the page was opened as part of the authorization flow. This can lead to the execution of arbitrary JavaScript in the user's browser, potentially allowing the attacker-provided code to perform actions such as deleting projects, retrieving database passwords, or executing arbitrary expressions. **Recommendations** For versions prior to 3.8.3, update to version 3.8.3 to fix the issue. As a temporary workaround, consider restricting access to the `/extension/gdata/authorized` endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** OpenRefine versions prior to 3.8.3 **Description** The issue allows an attacker to lead a user to a malicious page that submits a form POST containing embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and potentially executed in the victim's browser as if it was part of OpenRefine. The attacker-provided code can perform actions such as deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present. The attacker must know a valid project ID of a project that contains at least one row. **Recommendations** For versions prior to 3.8.3, update to version 3.8.3 to fix the issue. As a temporary workaround, consider restricting access to the `export-rows` command or disabling the feature until a patch is available. Additionally, restricting the `Content-Type` header override and requiring a CSRF token could help mitigate the issue. It is also recommended to add a Content-Security-Policy header to the response to disable scripts and other potentially executable content.

Name of the Vulnerable Software and Affected Versions: OpenRefine versions prior to 3.8.3 Description: The load-language command in OpenRefine expects a `lang` parameter to construct the path of the localization file to load, in the form `translations-$LANG.json`. However, in affected versions, it does not check if the resulting path is in the expected directory, allowing the command to be exploited to read other JSON files on the file system. Recommendations: For versions prior to 3.8.3, update to version 3.8.3 to address this issue. As a temporary workaround, consider restricting access to the load-language command to minimize the risk of exploitation. Additionally, ensure that the normalized path is checked to be in the expected directory to prevent unauthorized file access.

**Name of the Vulnerable Software and Affected Versions** OpenRefine versions 3.4-beta through 3.8.2 **Description** The issue is related to the `database` extension in OpenRefine, where the "enable load extension" property can be set for the SQLite integration. This allows an attacker to load and execute arbitrary code on the server by loading local or remote extension DLLs. The attacker needs to have network access to the OpenRefine instance. The vulnerability can be exploited to achieve remote code execution. **Recommendations** For OpenRefine versions 3.4-beta through 3.8.2, update to version 3.8.3 to fix the issue. As a temporary workaround, consider setting `enable load extension` to `false` or restricting access to the `database` extension to minimize the risk of exploitation. Additionally, consider implementing mitigation steps such as having users upload the SQLite database file, making the path relative to the workspace directory, adding additional checks to the path, using the READONLY open mode, and enforcing stricter limits.