VYPR
Vendor

Openrefine

Products
2
CVEs
14
Across products
14
Status
Private

Products

2

Recent CVEs

14
  • CVE-2023-41887CriSep 15, 2023
    risk 0.60cvss 9.8epss 0.45

    OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue.

  • CVE-2024-47883CriOct 24, 2024
    risk 0.52cvss 9.1epss 0.02

    The OpenRefine fork of the MIT Simile Butterfly server is a modular web application framework. The Butterfly framework uses the `java.net.URL` class to refer to (what are expected to be) local resource files, like images or templates. This works: "opening a connection" to these…

  • CVE-2019-3580HigJan 3, 2019
    risk 0.49cvss 7.5epss 0.02

    OpenRefine through 3.1 allows arbitrary file write because Directory Traversal can occur during the import of a crafted project file.

  • CVE-2018-20157HigDec 15, 2018
    risk 0.49cvss 7.5epss 0.02

    The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.

  • CVE-2024-47881HigOct 24, 2024
    risk 0.46cvss 8.1epss 0.01

    OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote)…

  • CVE-2024-47880HigOct 24, 2024
    risk 0.46cvss 8.1epss 0.00

    OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to…

  • CVE-2024-47878HigOct 24, 2024
    risk 0.46cvss 8.1epss 0.00

    OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `` tag in the output, so without escaping. An attacker could lead or redirect a user to…

  • CVE-2024-47879HigOct 24, 2024
    risk 0.42cvss 7.6epss 0.00

    OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The…

  • CVE-2024-23833HigFeb 12, 2024
    risk 0.42cvss 7.5epss 0.01

    OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver…

  • CVE-2023-41886HigSep 15, 2023
    risk 0.42cvss 7.5epss 0.01

    OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, an arbitrary file read vulnerability allows any unauthenticated user to read a file on a server. Version 3.7.5 fixes this issue.

  • CVE-2024-49760HigOct 24, 2024
    risk 0.39cvss 7.1epss 0.01

    OpenRefine is a free, open source tool for working with messy data. The load-language command expects a `lang` parameter from which it constructs the path of the localization file to load, of the form `translations-$LANG.json`. But when doing so in versions prior to 3.8.3, it…

  • CVE-2022-41401MedAug 4, 2023
    risk 0.35cvss 6.5epss 0.01

    OpenRefine <= v3.5.2 contains a Server-Side Request Forgery (SSRF) vulnerability, which permits unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure.

  • CVE-2024-47882MedOct 24, 2024
    risk 0.31cvss 5.9epss 0.00

    OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can…

  • CVE-2023-37476MedJul 17, 2023
    risk 0.29cvss 5.5epss 0.01

    OpenRefine is a free, open source tool for data processing. A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution in the context of the OpenRefine process if a user can be convinced to import it. The vulnerability exists in all…