CVE-2024-47882: 
Java vulnerability analysis and mitigation

OpenRefine, a free and open-source tool for working with messy data, was found to contain a security vulnerability (CVE-2024-47882) in versions prior to 3.8.3. The vulnerability was discovered and disclosed on October 24, 2024. The issue exists in the built-in "Something went wrong!" error page, which includes exception messages and exception traceback without properly escaping HTML tags (GitHub Advisory).

The vulnerability stems from the Command.respondWithErrorPage function (through HttpUtilities.respondWithErrorPage) which renders the Velocity template error.vt. The template includes $message and $stack variables in the response without proper HTML escaping, allowing for potential HTML tag injection. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) by NVD and 5.9 (Medium) by GitHub, with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N (NVD, GitHub Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser. The executed script would have the same privileges as the user, potentially enabling actions such as deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions if those extensions are present (GitHub Advisory).

The vulnerability has been fixed in OpenRefine version 3.8.3. The fix involves implementing proper HTML escaping for both the message and stack trace using Guava's HTML escaper (GitHub Commit). Users are advised to upgrade to version 3.8.3 or later to address this security issue (NVD).