CVE-2024-47878 – org.openrefine:extensions

Package

Manager: maven
Name: org.openrefine:extensions
Vulnerable Version: >=0 <3.8.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00121 pctl0.31856

Details

OpenRefine has a reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt) ### Summary The `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. ### Details The `state` GET parameter is read from: * extensions/gdata/module/MOD-INF/controller.js:105 It is used (as `$state`) in: * extensions/gdata/module/authorized.vt:43 There is no check that the state has the expected format (base64-encoded JSON with values like "openrefine123..." and "cb123..."), or that the page was indeed opened as part of the authorization flow. ### PoC Navigate to: http://localhost:3333/extension/gdata/authorized?state=%22,alert(1),%22&error= An alert box pops up. The gdata extension needs to be present. No other configuration is needed; specifically, it is not required to have a client ID or client secret set. ### Impact Execution of arbitrary JavaScript in the user's browser. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present.

Metadata

Created: 2024-10-24T17:54:25Z
Modified: 2024-10-30T19:03:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-pw3x-c5vp-mfc3/GHSA-pw3x-c5vp-mfc3.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-pw3x-c5vp-mfc3
Finding: F008
Auto approve: 1