CVE-2024-47880

Name of the Vulnerable Software and Affected Versions OpenRefine versions prior to 3.8.3

Description The issue allows an attacker to lead a user to a malicious page that submits a form POST containing embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled Content-Type header, and potentially executed in the victim's browser as if it was part of OpenRefine. The attacker-provided code can perform actions such as deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present. The attacker must know a valid project ID of a project that contains at least one row.

Recommendations For versions prior to 3.8.3, update to version 3.8.3 to fix the issue. As a temporary workaround, consider restricting access to the export-rows command or disabling the feature until a patch is available. Additionally, restricting the Content-Type header override and requiring a CSRF token could help mitigate the issue. It is also recommended to add a Content-Security-Policy header to the response to disable scripts and other potentially executable content.