How severe is CVE-2024-47880?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.9 out of 10.

What type of vulnerability is CVE-2024-47880?

This is classified as CWE-79, which is a common weakness in software security.

CVE-2024-47880 - MEDIUM Severity | CVSS 6.9

Vulnerability Description

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and so potentially executed in the victim's browser as if it was part of OpenRefine. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present. The attacker must know a valid project ID of a project that contains at least one row. Version 3.8.3 fixes the issue.

Related Vulnerabilities

CVE-2015-6005

MEDIUM

CVSS:6.9(Medium)

Multiple cross-site scripting (XSS) vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to inject arbitrary web script or HTML via (1) an SNMP OID object, (2) an SNMP trap mess...

CWE-792015

CVE-2019-11999

MEDIUM

CVSS:6.9(Medium)

Potential security vulnerabilities have been identified in HPE OpenCall Media Platform (OCMP) resulting in remote arbitrary file download and cross site scripting. HPE has made the following updates a...

CWE-792019

CVE-2020-8493

MEDIUM

CVSS:6.9(Medium)

A stored XSS vulnerability in Kronos Web Time and Attendance (webTA) affects 3.8.x and later 3.x versions before 4.0 via multiple input fields (Login Message, Banner Message, and Password Instructions...

CWE-792020

CVE-2020-8496

MEDIUM

CVSS:6.9(Medium)

In Kronos Web Time and Attendance (webTA) 4.1.x and later 4.x versions before 5.0, there is a Stored XSS vulnerability by setting the Application Banner input field of the /ApplicationBanner page as a...

CWE-792020

CVE-2021-33691

MEDIUM

CVSS:6.9(Medium)

NWDI Notification Service versions - 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.SAP NetWeaver Development Infrastructu...

CWE-792021

CVE-2022-0967

MEDIUM

CVSS:6.9(Medium)

Stored XSS via File Upload in star7th/showdoc in star7th/showdoc in GitHub repository star7th/showdoc prior to 2.10.4.

CWE-792022