CVE-2024-47882

Name of the Vulnerable Software and Affected Versions OpenRefine versions prior to 3.8.3

Description The built-in error page in OpenRefine includes the exception message and exception traceback without escaping HTML tags, allowing injection into the page if an attacker can produce an error with an attacker-influenced message. This can be achieved if an attacker convinces a victim to import a malicious file. Out-of-tree extensions may also add their own calls to respondWithErrorPage, potentially increasing the risk. The issue enables execution of arbitrary JavaScript in the victim's browser if the victim imports a malicious project.

Recommendations For OpenRefine versions prior to 3.8.3, update to version 3.8.3 to resolve the issue. As a temporary workaround, consider restricting the import of projects from untrusted sources to minimize the risk of exploitation. Additionally, out-of-tree extensions should be reviewed for calls to respondWithErrorPage and updated accordingly to prevent potential injection attacks.