CVE-2024-47880: OpenRefine has a reflected cross-site scripting vulnerability (XSS) from POST request in ExportRowsCommand

October 24, 2024 (updated October 30, 2024)

The export-rows command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request.

An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled Content-Type header, and so potentially executed in the victim’s browser as if it was part of OpenRefine.

The attacker must know a valid project ID of a project that contains at least one row.

References

github.com/OpenRefine/OpenRefine
github.com/OpenRefine/OpenRefine/commit/8060477fa53842ebabf43b63e039745932fa629d
github.com/OpenRefine/OpenRefine/security/advisories/GHSA-79jv-5226-783f
github.com/advisories/GHSA-79jv-5226-783f
nvd.nist.gov/vuln/detail/CVE-2024-47880

Code Behaviors & Features

Detect and mitigate CVE-2024-47880 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →