CVE-2024-47878
- Reference to the description:
- Description:
- OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue.
- Last updated date:
- 10/30/2024
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 10/30/2024
- Reference url to background
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-pw3x-c5vp-mfc3