org.openrefine:main@3.8.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.openrefine:main package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal via the LoadLanguageCommand component due to improper sanitization of the strLang parameter. An attacker can read arbitrary JSON files on the system by manipulating the strLang parameter to construct a path outside of the intended directory.

How to fix Directory Traversal?

Upgrade org.openrefine:main to version 3.8.3 or higher.

[,3.8.3)
  • M
Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ExportRowsCommand component due to improper sanitization of the Content-Type header. An attacker can execute arbitrary JavaScript in the user's browser by leading a user to a malicious page that submits a form POST containing embedded JavaScript.

Note:

This is only exploitable if the attacker knows a valid project ID of a project that contains at least one row.

How to fix Cross-site Scripting (XSS)?

Upgrade org.openrefine:main to version 3.8.3 or higher.

[,3.8.3)
  • M
Cross-site Request Forgery (CSRF)

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the PreviewExpressionCommand process due to missing validation of the CSRF token. An attacker can exploit this vulnerability by convincing a user to visit a malicious website and interact with a crafted page that submits a POST request without the user's consent.

Note: This is only exploitable if the attacker knows a valid project ID and the project contains at least one row.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade org.openrefine:main to version 3.8.3 or higher.

[,3.8.3)