PT-2024-32869 · Unknown+3 · Openrefine+3
Wetneb
·
Published
2024-10-24
·
Updated
2025-02-10
·
CVE-2024-47879
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenRefine versions prior to 3.8.3
Description
The issue is related to a lack of cross-site request forgery protection on the
preview-expression command. This means that visiting a malicious website could cause an attacker-controlled expression to be executed, potentially containing arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row and convince the victim to open a malicious webpage.Recommendations
For OpenRefine versions prior to 3.8.3, update to version 3.8.3 to resolve the issue. As a temporary workaround, consider restricting access to the
preview-expression command until the update is applied. Additionally, avoid using the preview-expression command with untrusted input, and be cautious when opening links from unknown sources.Exploit
Fix
Code Injection
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Debian
Linuxmint
Openrefine
Ubuntu