Lucene search
+L

231 matches found

OSV
OSV
added 2024/10/24 6:30 p.m.8 views

GHSA-3PG4-QWC8-426R OpenRefine leaks Google API credentials in releases

Impact OpenRefine releases contain Google API authentication keys "client id" and "client secret" which can be extracted from released artifacts. For instance, download the package for OpenRefine 3.8.2 on linux. It contains the file...

7.2AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2024/10/24 6:30 p.m.16 views

OpenRefine leaks Google API credentials in releases

Impact OpenRefine releases contain Google API authentication keys "client id" and "client secret" which can be extracted from released artifacts. For instance, download the package for OpenRefine 3.8.2 on linux. It contains the file...

7.2AI score
Exploits0References3Affected Software1
vulnersOsv
vulnersOsv
added 2024/10/24 6:27 p.m.7 views

org.openrefine:benchmark (>=3.6-beta1 <=3.8.2), org.openrefine:database (>=3.6-beta1 <=3.8.2) +7 more potentially affected by unknown CVE via org.openrefine.dependencies:butterfly (>=1.2.3 <=1.2.5)

org.openrefine.dependencies:butterfly MAVEN version =1.2.3, =3.6-beta1, =3.6-beta1, =3.6-beta1, =3.6-beta1, =3.6-beta1, =3.6-beta1, =3.6-beta1, =3.7-beta1, =3.6-beta1, =3.6.2 Source cves: unknown CVE Source advisory: OSV:GHSA-MPCW-3J5P-P99X...

5.8AI score
Exploits0
Github Security Blog
Github Security Blog
added 2024/10/24 6:27 p.m.13 views

Butterfly's parseJSON, getJSON functions eval malicious input, leading to remote code execution (RCE)

Summary Usage of the Butterfly.prototype.parseJSON or getJSON functions on an attacker-controlled crafted input string allows the attacker to execute arbitrary JavaScript code on the server. Since Butterfly JavaScript code has access to Java classes, it can run arbitrary programs. Details The...

8.2AI score
Exploits0References3Affected Software1
vulnersOsv
vulnersOsv
added 2024/10/24 6:16 p.m.7 views

org.openrefine:benchmark (>=3.6-beta1 <=3.8.2), org.openrefine:database (>=3.6-beta1 <=3.8.2) +7 more potentially affected by CVE-2024-47883 via org.openrefine.dependencies:butterfly (>=1.2.3 <=1.2.5)

org.openrefine.dependencies:butterfly MAVEN version =1.2.3, =3.6-beta1, =3.6-beta1, =3.6-beta1, =3.6-beta1, =3.6-beta1, =3.6-beta1, =3.6-beta1, =3.7-beta1, =3.6-beta1, =3.6.2 Source cves: CVE-2024-47883 Source advisory: OSV:GHSA-3P8V-W8MR-M3X8...

9.1CVSS7.2AI score0.01602EPSS
Exploits1
Github Security Blog
Github Security Blog
added 2024/10/24 6:16 p.m.33 views

Butterfly has path/URL confusion in resource handling leading to multiple weaknesses

Summary The Butterfly framework uses the java.net.URL class to refer to what are expected to be local resource files, like images or templates. This works: "opening a connection" to these URLs opens the local file. However, if a file:/ URL is directly given where a relative path resource name is...

9.1CVSS7AI score0.01602EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2024/10/24 6:13 p.m.13 views

GHSA-J8HP-F2MJ-586G OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project

Summary The built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this...

5.9CVSS6.3AI score0.00487EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2024/10/24 6:13 p.m.23 views

OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project

Summary The built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this...

6.1CVSS6.9AI score0.00487EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2024/10/24 6:11 p.m.21 views

GHSA-87CF-J763-VVH8 OpenRefine's SQLite integration allows filesystem access, remote code execution (RCE)

Summary In the database extension, the "enableloadextension" property can be set for the SQLite integration, enabling an attacker to load local or remote extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Details The...

8.1CVSS8.7AI score0.00658EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2024/10/24 6:11 p.m.29 views

OpenRefine's SQLite integration allows filesystem access, remote code execution (RCE)

Summary In the database extension, the "enableloadextension" property can be set for the SQLite integration, enabling an attacker to load local or remote extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Details The...

8.8CVSS8.1AI score0.00658EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2024/10/24 6:0 p.m.15 views

GHSA-79JV-5226-783F OpenRefine has a reflected cross-site scripting vulnerability (XSS) from POST request in ExportRowsCommand

Summary The export-rows command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then ...

8.6CVSS7.4AI score0.00361EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2024/10/24 6:0 p.m.30 views

OpenRefine has a reflected cross-site scripting vulnerability (XSS) from POST request in ExportRowsCommand

Summary The export-rows command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then ...

8.1CVSS7.4AI score0.00361EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2024/10/24 5:58 p.m.11 views

GHSA-3JM4-C6QF-JRH3 OpenRefine's PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF)

Summary Lack of CSRF protection on the preview-expression command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains...

7.6CVSS6.2AI score0.00389EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2024/10/24 5:58 p.m.11 views

OpenRefine's PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF)

Summary Lack of CSRF protection on the preview-expression command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains...

8.8CVSS8.1AI score0.00389EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2024/10/24 5:54 p.m.11 views

GHSA-PW3X-C5VP-MFC3 OpenRefine has a reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)

Summary The /extension/gdata/authorized endpoint includes the state GET parameter verbatim in a tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as...

8.6CVSS6.7AI score0.00441EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2024/10/24 5:54 p.m.22 views

OpenRefine has a reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)

Summary The /extension/gdata/authorized endpoint includes the state GET parameter verbatim in a tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as...

8.1CVSS6.7AI score0.00441EPSS
Exploits1References4Affected Software1
CNNVD
CNNVD
added 2024/10/24 12:0 a.m.6 views

OpenRefine 跨站脚本漏洞

OpenRefine is a Java-based open source tool from OpenRefine Open Source. The product is mainly used for loading data, analyzing data and cleaning data, etc. A cross-site scripting vulnerability exists in OpenRefine prior to version 3.8.3, which stems from a cross-site scripting attack that can be...

8.1CVSS5.8AI score0.00441EPSS
Exploits1References3
CNNVD
CNNVD
added 2024/10/24 12:0 a.m.3 views

OpenRefine 代码注入漏洞

OpenRefine is a Java-based open source tool. The product is mainly used for loading data, analyzing data and cleaning data, among other things. A code injection vulnerability exists in OpenRefine prior to version 3.8.3 that stems from the lack of cross-site request forgery protection in the...

8.8CVSS7AI score0.00389EPSS
Exploits1References3
CNNVD
CNNVD
added 2024/10/24 12:0 a.m.4 views

OpenRefine 安全漏洞

OpenRefine is a Java-based open source tool from OpenRefine Open Source. The product is mainly used for loading data, analyzing data and cleaning data, etc. A security vulnerability exists in OpenRefine prior to version 3.8.3, which stems from the built-in "Something went error!" error page that...

6.1CVSS6.3AI score0.00487EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2024/10/24 12:0 a.m.4 views

PT-2024-32868 · Unknown +3 · Openrefine +3

Name of the Vulnerable Software and Affected Versions: OpenRefine versions prior to 3.8.3 Description: The issue concerns the /extension/gdata/authorized endpoint, which includes the state GET parameter verbatim in a tag in the output without escaping. This allows an attacker to lead or redirect ...

9.8CVSS6.9AI score0.45473EPSS
Exploits8References43
Rows per page
Query Builder