Wetneb

**Name of the Vulnerable Software and Affected Versions** OpenRefine versions prior to 3.8.3 **Description** The issue is related to a lack of cross-site request forgery protection on the `preview-expression` command. This means that visiting a malicious website could cause an attacker-controlled expression to be executed, potentially containing arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row and convince the victim to open a malicious webpage. **Recommendations** For OpenRefine versions prior to 3.8.3, update to version 3.8.3 to resolve the issue. As a temporary workaround, consider restricting access to the `preview-expression` command until the update is applied. Additionally, avoid using the `preview-expression` command with untrusted input, and be cautious when opening links from unknown sources.

**Name of the Vulnerable Software and Affected Versions** OpenRefine versions prior to 3.8.3 **Description** The built-in error page in OpenRefine includes the exception message and exception traceback without escaping HTML tags, allowing injection into the page if an attacker can produce an error with an attacker-influenced message. This can be achieved if an attacker convinces a victim to import a malicious file. Out-of-tree extensions may also add their own calls to `respondWithErrorPage`, potentially increasing the risk. The issue enables execution of arbitrary JavaScript in the victim's browser if the victim imports a malicious project. **Recommendations** For OpenRefine versions prior to 3.8.3, update to version 3.8.3 to resolve the issue. As a temporary workaround, consider restricting the import of projects from untrusted sources to minimize the risk of exploitation. Additionally, out-of-tree extensions should be reviewed for calls to `respondWithErrorPage` and updated accordingly to prevent potential injection attacks.

**Name of the Vulnerable Software and Affected Versions** Butterfly framework versions prior to 1.2.6 **Description** The Butterfly framework has a weakness related to incorrect restriction of the path name to a directory with limited access. This can be exploited by an attacker with network access to the application to gain access to files on the server's filesystem or shared by nearby machines. An attacker can also lead or redirect a user to a crafted URL belonging to the app, causing arbitrary attacker-controlled JavaScript to be loaded in the victim's browser. Additionally, if an app is written in such a way that an attacker can influence the resource name used for a template, the attacker could cause the app to fetch and execute an attacker-controlled template. The `edu.mit.simile.butterfly.ButterflyModuleImpl.getResource` method converts a resource name into a URL. If the resource name already starts with `file:/`, it is passed through unmodified, and there is no check that the resulting URL is inside the expected directory or on the same machine. The default implementation for `process` in `ButterflyModuleImpl` is to serve a named resource, making it vulnerable. The Velocity template library is also vulnerable if template resource names can be influenced by an attacker. **Recommendations** For versions prior to 1.2.6, update to version 1.2.6 or later to patch the vulnerability. As a temporary workaround, consider restricting access to the `file:/` URL scheme to minimize the risk of exploitation. Avoid using the `file:/` URL scheme in resource names until the issue is resolved. Restrict access to the vulnerable `ButterflyModuleImpl` and `ButterflyResourceLoader` classes to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenRefine versions prior to 3.2 **Description** The issue concerns the data import functionality, which is susceptible to an XML External Entity (XXE) attack. This attack can be initiated through a crafted zip file, enabling attackers to read arbitrary files. **Recommendations** For versions prior to 3.2, update to version 3.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the data import functionality until a patch is applied. Avoid using the data import feature with untrusted zip files to minimize the risk of exploitation.