CVE-2024-47880: 
Java vulnerability analysis and mitigation

OpenRefine, a free and open-source tool for working with messy data, was found to contain a vulnerability (CVE-2024-47880) in versions prior to 3.8.3. The vulnerability was discovered in the export-rows command functionality, which could be exploited through a malicious page that submits a form POST containing embedded JavaScript code (GitHub Advisory).

The vulnerability exists in the export-rows command where it reflects part of the request verbatim, along with a Content-Type header taken from the request. The attack requires setting the contentType parameter to text/html and preview to true, causing the browser to treat what OpenRefine considers an export preview as a regular webpage. The CSV exporter (separator and lineSeparator fields) and templating exporter (any field) are affected, with possible injection points in the dateSettings.custom field or the SQL exporter default value field for projects containing date or null cells (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (NVD).

If successfully exploited, the vulnerability allows the execution of arbitrary JavaScript code in the user's browser within OpenRefine's origin. The attacker-provided code can perform any action available to the user, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions if those extensions are present. The attacker must know a valid project ID of a project that contains at least one row (GitHub Advisory).

The vulnerability has been fixed in OpenRefine version 3.8.3. The fix includes dropping support for the contentType parameter and adding a Content-Security-Policy header to the response that disables scripts. The patch ensures that the content type declared by the exporter is always used instead of allowing it to be overridden (GitHub Commit).