ghsa-pw3x-c5vp-mfc3
Vulnerability from github
Published
2024-10-24 17:54
Modified
2024-10-30 19:03
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
OpenRefine has a reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)
Details

Summary

The /extension/gdata/authorized endpoint includes the state GET parameter verbatim in a <script> tag in the output, so without escaping.

An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine.

Details

The state GET parameter is read from:

  • extensions/gdata/module/MOD-INF/controller.js:105

It is used (as $state) in:

  • extensions/gdata/module/authorized.vt:43

There is no check that the state has the expected format (base64-encoded JSON with values like "openrefine123..." and "cb123..."), or that the page was indeed opened as part of the authorization flow.

PoC

Navigate to:

http://localhost:3333/extension/gdata/authorized?state=%22,alert(1),%22&error=

An alert box pops up.

The gdata extension needs to be present. No other configuration is needed; specifically, it is not required to have a client ID or client secret set.

Impact

Execution of arbitrary JavaScript in the user's browser. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.openrefine:extensions"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47878"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-24T17:54:25Z",
    "nvd_published_at": "2024-10-24T21:15:12Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `\u003cscript\u003e` tag in the output, so without escaping.\n\nAn attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim\u0027s browser as if it was part of OpenRefine.\n\n### Details\n\nThe `state` GET parameter is read from:\n\n* extensions/gdata/module/MOD-INF/controller.js:105\n\nIt is used (as `$state`) in:\n\n* extensions/gdata/module/authorized.vt:43\n\nThere is no check that the state has the expected format (base64-encoded JSON with values like \"openrefine123...\" and \"cb123...\"), or that the page was indeed opened as part of the authorization flow.\n\n### PoC\n\nNavigate to:\n\n    http://localhost:3333/extension/gdata/authorized?state=%22,alert(1),%22\u0026error=\n\nAn alert box pops up.\n\nThe gdata extension needs to be present. No other configuration is needed; specifically, it is not required to have a client ID or client secret set.\n\n### Impact\n\nExecution of arbitrary JavaScript in the user\u0027s browser. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present.",
  "id": "GHSA-pw3x-c5vp-mfc3",
  "modified": "2024-10-30T19:03:06Z",
  "published": "2024-10-24T17:54:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-pw3x-c5vp-mfc3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47878"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenRefine/OpenRefine/commit/10bf0874d67f1018a58b3732332d76b840192fea"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenRefine/OpenRefine"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenRefine has a reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.