VDB

CVE-2024-47878

CVE-2024-47878 PUBLISHED CVSS 8.100000381469727 HIGH

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue.

EPSS 0.22% · 44.1th percentile

Risk Scores

CVSS 3.1
8.100000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score
0.22%
44.1th percentile

Affected Products

VendorProductVersions
Mavenorg.openrefine:extensions0
openrefineopenrefine0
openrefineopenrefine0
OpenRefineOpenRefine*

Exploit Intelligence

Timeline

  • Jan 21, 1970 Security Advisory
  • Oct 24, 2024 CVE Published
  • Oct 24, 2024 Coalition ESS Score
  • Oct 25, 2024 EPSS Score
  • Oct 25, 2024 Coalition ESS Score
  • Oct 30, 2024 CVE Updated
  • Oct 30, 2024 Coalition ESS Score
  • Nov 12, 2024 EPSS Score
  • Dec 2, 2024 EPSS Score
  • Dec 20, 2024 EPSS Score
  • Jan 7, 2025 EPSS Score
  • Jan 26, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›