CVE-2024-47878

Name of the Vulnerable Software and Affected Versions OpenRefine versions prior to 3.8.3

Description The issue concerns the /extension/gdata/authorized endpoint, which includes the state GET parameter verbatim in a <script> tag in the output without escaping. This allows an attacker to lead or redirect a user to a crafted URL containing JavaScript code, which would then be executed in the victim's browser as if it was part of OpenRefine. The state parameter is read from the controller.js file and used in the authorized.vt file without any format checks or verification that the page was opened as part of the authorization flow. This can lead to the execution of arbitrary JavaScript in the user's browser, potentially allowing the attacker-provided code to perform actions such as deleting projects, retrieving database passwords, or executing arbitrary expressions.

Recommendations For versions prior to 3.8.3, update to version 3.8.3 to fix the issue. As a temporary workaround, consider restricting access to the /extension/gdata/authorized endpoint until the update is applied.