GHSA-pw3x-c5vp-mfc3

Suggest an improvement
Source
https://github.com/advisories/GHSA-pw3x-c5vp-mfc3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-pw3x-c5vp-mfc3/GHSA-pw3x-c5vp-mfc3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pw3x-c5vp-mfc3
Aliases
Published
2024-10-24T17:54:25Z
Modified
2024-10-30T19:23:08.623533Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenRefine has a reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)
Details

Summary

The /extension/gdata/authorized endpoint includes the state GET parameter verbatim in a <script> tag in the output, so without escaping.

An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine.

Details

The state GET parameter is read from:

  • extensions/gdata/module/MOD-INF/controller.js:105

It is used (as $state) in:

  • extensions/gdata/module/authorized.vt:43

There is no check that the state has the expected format (base64-encoded JSON with values like "openrefine123..." and "cb123..."), or that the page was indeed opened as part of the authorization flow.

PoC

Navigate to:

http://localhost:3333/extension/gdata/authorized?state=%22,alert(1),%22&error=

An alert box pops up.

The gdata extension needs to be present. No other configuration is needed; specifically, it is not required to have a client ID or client secret set.

Impact

Execution of arbitrary JavaScript in the user's browser. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present.

References

Affected packages

Maven / org.openrefine:extensions

Package

Name
org.openrefine:extensions
View open source insights on deps.dev
Purl
pkg:maven/org.openrefine/extensions

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.8.3

Affected versions

3.*

3.6-beta1
3.6-beta2
3.6-rc1
3.6.0
3.6.1
3.6.2
3.7-beta1
3.7-beta2
3.7.0
3.7.2
3.8-beta1
3.8-beta5
3.8.0
3.8.1
3.8.2