CVE-2024-47882

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-47882
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47882.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-47882
Aliases
Downstream
Published
2024-10-24T20:35:30Z
Modified
2025-10-22T18:44:03.190290Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS Calculator
Summary
OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project
Details

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, which may be difficult. However, out-of-tree extensions may add their own calls to respondWithErrorPage. Version 3.8.3 has a fix for this issue.

Database specific 
{
    "cwe_ids": [
        "CWE-79",
        "CWE-81"
    ]
}
References

Affected packages

Git / github.com/openrefine/openrefine

Affected ranges

Type
GIT
Repo
https://github.com/openrefine/openrefine
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d70d9114a8c021a233f0c13c73a0a7784276f2a4

Affected versions

1.*

1.1

2.*

2.6-alpha.2
2.6-alpha1
2.6-beta.1
2.6-rc.2
2.7
2.7-rc.1
2.7-rc.2
2.8

3.*

3.0
3.0-beta
3.0-rc.1
3.1
3.1-beta
3.2
3.2-beta
3.3
3.3-beta
3.3-rc1
3.4-beta
3.5-beta1
3.7-beta2
3.8-beta.3
3.8-beta.4
3.8-beta1
3.8-beta2
3.8-beta5
3.8.0
3.8.1
3.8.2

v2.*

v2.6-rc1

Database specific

vanir_signatures

[
    {
        "id": "CVE-2024-47882-463f1041",
        "target": {
            "file": "main/src/com/google/refine/RefineServlet.java"
        },
        "digest": {
            "line_hashes": [
                "70741200116215552636185552063441350157",
                "250578989153400506380281591621571840554",
                "234825196224379482873151685641821868458",
                "163240278076324717749431253028938753191"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/openrefine/openrefine/commit/d70d9114a8c021a233f0c13c73a0a7784276f2a4",
        "signature_type": "Line"
    }
]