medium
6.1
CWE
79 81
Advisory Published
CVE Published
Updated

CVE-2024-47882: OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project

First published: Thu Oct 24 2024(Updated: )

### Summary The built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, as in GHSA-m88m-crr9-jvqq, which may be difficult. However, out-of-tree extensions may add their own calls to `respondWithErrorPage`. ### Details The `Command.respondWithErrorPage` (through `HttpUtilities.respondWithErrorPage`) function renders the Velocity template `error.vt`, which contains the `$message` and `$stack` variables, which are included in the response as-is: https://github.com/OpenRefine/OpenRefine/blob/master/main/webapp/modules/core/error.vt#L52-L53 However, the message can contain HTML tags, which would then be interpreted by the browser. A mitigation would be to escape both the message and stack trace, perhaps using Guava's HTML escaper. Flows that report errors as `application/json` responses are not interpreted by the browser and so not affected by this issue. ### PoC In OpenRefine, use the "Import project" feature to import the following URL (or upload it as a file): https://wandernauta.nl/oa/example.tar.gz A JavaScript alert appears. ### Impact Execution of arbitrary JavaScript in the victim's browser, provided the victim can be convinced to import a malicious project. The script can do anything the user can do.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
maven/org.openrefine:openrefine<3.8.3
3.8.3
Openrefine Openrefine<3.8.3
debian/openrefine<=3.6.2-2+deb12u2
3.8.7-1

Remedy

https://github.com/OpenRefine/OpenRefine/commit/85594e75e7b36025f7b6a67dcd3ec253c5dff8c2

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-47882?

    CVE-2024-47882 is categorized as a medium severity vulnerability due to the potential for injection attacks through unescaped HTML in error messages.

  • How do I fix CVE-2024-47882?

    To fix CVE-2024-47882, upgrade to OpenRefine version 3.8.3 or later, where the vulnerability has been addressed.

  • What type of vulnerability is CVE-2024-47882?

    CVE-2024-47882 is an injection vulnerability that allows for potential cross-site scripting attacks through error messages.

  • Who is affected by CVE-2024-47882?

    Users running OpenRefine versions prior to 3.8.3 are affected by CVE-2024-47882.

  • What can be exploited in CVE-2024-47882?

    An attacker could exploit CVE-2024-47882 by deliberately causing an error that includes malicious content in the error message.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203