11 matches found
CVE-2024-47880
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the export-rows command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page th...
CVE-2024-47881
OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the database extension, the "enableloadextension" property can be set for the SQLite integration, enabling an attacker to load local or remote extension DLLs and so run...
CVE-2024-47880
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the export-rows command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page th...
UBUNTU-CVE-2024-47882
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an...
CVE-2024-47881 OpenRefine's SQLite integration allows filesystem access, remote code execution (RCE)
OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the database extension, the "enableloadextension" property can be set for the SQLite integration, enabling an attacker to load local or remote extension DLLs and so run...
CVE-2024-47881
CVE-2024-47881 affects OpenRefine prior to 3.8.3. In the OpenRefine database extension, the enable_load_extension setting for the SQLite integration can be abused to load local or remote extension DLLs, allowing arbitrary code execution on the vulnerable server. Exploitation requires network acce...
CVE-2024-47881
OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the database extension, the "enableloadextension" property can be set for the SQLite integration, enabling an attacker to load local or remote extension DLLs and so run...
CVE-2024-47881 OpenRefine's SQLite integration allows filesystem access, remote code execution (RCE)
OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the database extension, the "enableloadextension" property can be set for the SQLite integration, enabling an attacker to load local or remote extension DLLs and so run...
CVE-2024-47879 OpenRefine's PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF)
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the preview-expression command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can...
CVE-2024-47879
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the preview-expression command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can...
CVE-2024-47878 Reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the /extension/gdata/authorized endpoint includes the state GET parameter verbatim in a tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing...