Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenRefine's PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF)
Vulnerability Description
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Version 3.8.3 fixes the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
OpenRefine 代码注入漏洞
Vulnerability Description
OpenRefine是一款基于Java的开源工具。该产品主要用于加载数据、分析数据和清理数据等。 OpenRefine 3.8.3版本之前存在代码注入漏洞,该漏洞源于preview-expression命令缺乏跨站请求伪造保护。
CVSS Information
N/A
Vulnerability Type
N/A