OpenRefine's PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF)
CVE-2024-47879

8.8HIGH

Key Information:

Vendor: Openrefine
Status: Openrefine
Vendor: CVE Published:; 24 October 2024

What is CVE-2024-47879?

A cross-site request forgery (CSRF) vulnerability exists in OpenRefine, affecting versions prior to 3.8.3. This vulnerability allows attackers to exploit the preview-expression command by executing arbitrary Clojure or Python code if the victim visits a specially crafted malicious webpage. To execute this attack, the attacker needs to know a valid project ID of an OpenRefine project that includes at least one row of data. Users of OpenRefine are advised to upgrade to version 3.8.3 or above to mitigate this security risk.

Affected Version(s)

OpenRefine < 3.8.3

References

https://github.com/OpenRefine/OpenRefine/security/advisor...

x_refsource_CONFIRM

https://github.com/OpenRefine/OpenRefine/commit/090924ca9...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 24, 2024

Openrefine

What is CVE-2024-47879?

Affected Version(s)

References

CVSS V3.1

Timeline