Openrefine
by Openrefine
Source repositories
CVEs (13)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-41887 | Cri | 0.60 | 9.8 | 0.45 | Sep 15, 2023 | OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue. | ||
| CVE-2019-3580 | Hig | 0.49 | 7.5 | 0.02 | Jan 3, 2019 | OpenRefine through 3.1 allows arbitrary file write because Directory Traversal can occur during the import of a crafted project file. | ||
| CVE-2018-20157 | Hig | 0.49 | 7.5 | 0.02 | Dec 15, 2018 | The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files. | ||
| CVE-2024-47881 | Hig | 0.46 | 8.1 | 0.01 | Oct 24, 2024 | OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote)… | ||
| CVE-2024-47880 | Hig | 0.46 | 8.1 | 0.00 | Oct 24, 2024 | OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to… | ||
| CVE-2024-47878 | Hig | 0.46 | 8.1 | 0.00 | Oct 24, 2024 | OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `` tag in the output, so without escaping. An attacker could lead or redirect a user to… | ||
| CVE-2024-47879 | Hig | 0.42 | 7.6 | 0.00 | Oct 24, 2024 | OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The… | ||
| CVE-2024-23833 | Hig | 0.42 | 7.5 | 0.01 | Feb 12, 2024 | OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver… | ||
| CVE-2023-41886 | Hig | 0.42 | 7.5 | 0.01 | Sep 15, 2023 | OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, an arbitrary file read vulnerability allows any unauthenticated user to read a file on a server. Version 3.7.5 fixes this issue. | ||
| CVE-2024-49760 | Hig | 0.39 | 7.1 | 0.01 | Oct 24, 2024 | OpenRefine is a free, open source tool for working with messy data. The load-language command expects a `lang` parameter from which it constructs the path of the localization file to load, of the form `translations-$LANG.json`. But when doing so in versions prior to 3.8.3, it… | ||
| CVE-2022-41401 | Med | 0.35 | 6.5 | 0.01 | Aug 4, 2023 | OpenRefine <= v3.5.2 contains a Server-Side Request Forgery (SSRF) vulnerability, which permits unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure. | ||
| CVE-2024-47882 | Med | 0.31 | 5.9 | 0.00 | Oct 24, 2024 | OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can… | ||
| CVE-2023-37476 | Med | 0.29 | 5.5 | 0.01 | Jul 17, 2023 | OpenRefine is a free, open source tool for data processing. A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution in the context of the OpenRefine process if a user can be convinced to import it. The vulnerability exists in all… |
- risk 0.60cvss 9.8epss 0.45
OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue.
- risk 0.49cvss 7.5epss 0.02
OpenRefine through 3.1 allows arbitrary file write because Directory Traversal can occur during the import of a crafted project file.
- risk 0.49cvss 7.5epss 0.02
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
- risk 0.46cvss 8.1epss 0.01
OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote)…
- risk 0.46cvss 8.1epss 0.00
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to…
- risk 0.46cvss 8.1epss 0.00
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `` tag in the output, so without escaping. An attacker could lead or redirect a user to…
- risk 0.42cvss 7.6epss 0.00
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The…
- risk 0.42cvss 7.5epss 0.01
OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver…
- risk 0.42cvss 7.5epss 0.01
OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, an arbitrary file read vulnerability allows any unauthenticated user to read a file on a server. Version 3.7.5 fixes this issue.
- risk 0.39cvss 7.1epss 0.01
OpenRefine is a free, open source tool for working with messy data. The load-language command expects a `lang` parameter from which it constructs the path of the localization file to load, of the form `translations-$LANG.json`. But when doing so in versions prior to 3.8.3, it…
- risk 0.35cvss 6.5epss 0.01
OpenRefine <= v3.5.2 contains a Server-Side Request Forgery (SSRF) vulnerability, which permits unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure.
- risk 0.31cvss 5.9epss 0.00
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can…
- risk 0.29cvss 5.5epss 0.01
OpenRefine is a free, open source tool for data processing. A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution in the context of the OpenRefine process if a user can be convinced to import it. The vulnerability exists in all…