org.openrefine:main@3.8-beta5 vulnerabilities

Affected versions of this package are vulnerable to Directory Traversal via the LoadLanguageCommand component due to improper sanitization of the strLang parameter. An attacker can read arbitrary JSON files on the system by manipulating the strLang parameter to construct a path outside of the intended directory.

Upgrade org.openrefine:main to version 3.8.3 or higher.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ExportRowsCommand component due to improper sanitization of the Content-Type header. An attacker can execute arbitrary JavaScript in the user's browser by leading a user to a malicious page that submits a form POST containing embedded JavaScript.

Note:

This is only exploitable if the attacker knows a valid project ID of a project that contains at least one row.

Upgrade org.openrefine:main to version 3.8.3 or higher.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the PreviewExpressionCommand process due to missing validation of the CSRF token. An attacker can exploit this vulnerability by convincing a user to visit a malicious website and interact with a crafted page that submits a POST request without the user's consent.

Note: This is only exploitable if the attacker knows a valid project ID and the project contains at least one row.

Upgrade org.openrefine:main to version 3.8.3 or higher.