Vulnerability	Vulnerable Version
H Directory Traversal Affected versions of this package are vulnerable to Directory Traversal via the `LoadLanguageCommand` component due to improper sanitization of the `strLang` parameter. An attacker can read arbitrary JSON files on the system by manipulating the `strLang` parameter to construct a path outside of the intended directory. How to fix Directory Traversal? Upgrade `org.openrefine:main` to version 3.8.3 or higher.	[,3.8.3)
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `ExportRowsCommand` component due to improper sanitization of the `Content-Type` header. An attacker can execute arbitrary JavaScript in the user's browser by leading a user to a malicious page that submits a form POST containing embedded JavaScript. Note: This is only exploitable if the attacker knows a valid project ID of a project that contains at least one row. How to fix Cross-site Scripting (XSS)? Upgrade `org.openrefine:main` to version 3.8.3 or higher.	[,3.8.3)
M Cross-site Request Forgery (CSRF) Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the `PreviewExpressionCommand` process due to missing validation of the CSRF token. An attacker can exploit this vulnerability by convincing a user to visit a malicious website and interact with a crafted page that submits a POST request without the user's consent. Note: This is only exploitable if the attacker knows a valid project ID and the project contains at least one row. How to fix Cross-site Request Forgery (CSRF)? Upgrade `org.openrefine:main` to version 3.8.3 or higher.	[,3.8.3)

Go back to all versions of this package