CVE-2024-47878: 
Java vulnerability analysis and mitigation

OpenRefine, a free and open-source tool for working with messy data, was found to contain a cross-site scripting (XSS) vulnerability identified as CVE-2024-47878. Prior to version 3.8.3, the /extension/gdata/authorized endpoint included the state GET parameter verbatim in a <script> tag in the output without proper escaping. The vulnerability was discovered and disclosed in October 2024 (NVD, GitHub Advisory).

The vulnerability exists in the GData extension where the state GET parameter is read from extensions/gdata/module/MOD-INF/controller.js and used without validation in authorized.vt. The implementation failed to verify that the state parameter had the expected format (base64-encoded JSON with specific values) or that the page was opened as part of the authorization flow. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (GitHub Advisory).

If exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the user's browser. The attacker-provided code can perform any action available to the user, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions if those extensions are present (GitHub Advisory).

The vulnerability has been fixed in OpenRefine version 3.8.3. Users are advised to upgrade to this version or later to address the security issue. The fix includes proper validation and escaping of the state parameter (NVD, GitHub Patch).