CVE-2024-47878: Reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)
First published: Thu Oct 24 2024(Updated: )
### Summary The `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. ### Details The `state` GET parameter is read from: * extensions/gdata/module/MOD-INF/controller.js:105 It is used (as `$state`) in: * extensions/gdata/module/authorized.vt:43 There is no check that the state has the expected format (base64-encoded JSON with values like "openrefine123..." and "cb123..."), or that the page was indeed opened as part of the authorization flow. ### PoC Navigate to: http://localhost:3333/extension/gdata/authorized?state=%22,alert(1),%22&error= An alert box pops up. The gdata extension needs to be present. No other configuration is needed; specifically, it is not required to have a client ID or client secret set. ### Impact Execution of arbitrary JavaScript in the user's browser. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Openrefine Openrefine | <3.8.3 | |
| maven/org.openrefine:extensions | <3.8.3 | 3.8.3 |
| debian/openrefine | <=3.6.2-2+deb12u2 | 3.8.7-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-pw3x-c5vp-mfc3
- https://github.com/OpenRefine/OpenRefine/commit/10bf0874d67f1018a58b3732332d76b840192fea
- https://nvd.nist.gov/vuln/detail/CVE-2024-47878
- https://github.com/advisories/GHSA-pw3x-c5vp-mfc3 (Advisory)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47878
- https://launchpad.net/bugs/cve/CVE-2024-47878
- https://security-tracker.debian.org/tracker/CVE-2024-47878
- https://ubuntu.com/security/CVE-2024-47878
- https://github.com/OpenRefine/OpenRefine/commit/37b375478eca41b8948b104bf6790ebf659a88cb
Frequently Asked Questions
What is the severity of CVE-2024-47878?
The severity of CVE-2024-47878 has not been explicitly rated but is indicative of a potential cross-site scripting attack.
How do I fix CVE-2024-47878?
To fix CVE-2024-47878, upgrade the affected OpenRefine software to version 3.8.3 or later.
What is the main issue with CVE-2024-47878?
CVE-2024-47878 allows attackers to exploit the `state` GET parameter, leading to unescaped JavaScript being executed in a user's browser.
Which versions of OpenRefine are affected by CVE-2024-47878?
CVE-2024-47878 affects all versions of OpenRefine prior to 3.8.3.
What kind of attack is possible with CVE-2024-47878?
CVE-2024-47878 may lead to cross-site scripting (XSS) attacks due to improper handling of user input.
- agent/weakness
- agent/first-publish-date
- agent/title
- agent/type
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- agent/severity
- agent/softwarecombine
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-pw3x-c5vp-mfc3
- alias/CVE-2024-47878
- agent/last-modified-date
- collector/nvd-cve
- collector/github-advisory
- agent/trending
- collector/usn-cve
- source/Ubuntu
- agent/source
- agent/description
- agent/tags
- agent/references
- agent/event
- collector/security-tracker-debian
- source/Debian
- vendor/openrefine
- canonical/openrefine openrefine
- package-manager/maven
- package-manager/debian