9.1
CVE-2024-47883 - Butterfly has path/URL confusion in resource handling leading to multiple weaknesses
The OpenRefine fork of the MIT Simile Butterfly server is a modular web application framework. The Butterfly framework uses the `java.net.URL` class to refer to (what are expected to be) local resource files, like images or templates. This works: "opening a connection" to these URLs opens the localβ¦
5.9
CVE-2024-47882 - OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of maliβ¦
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an erroβ¦
8.1
CVE-2024-47881 - OpenRefine's SQLite integration allows filesystem access, remote code execution (RCE)
OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so β¦
8.1
CVE-2024-47880 - OpenRefine has a reflected cross-site scripting vulnerability from POST request in ExportRowsCommand
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page thβ¦
8.1
CVE-2024-10327 -
A vulnerability in Okta Verify for iOS versions 9.25.1 (beta) and 9.27.0 (including beta) allows push notification responses through the iOS ContextExtension feature allowing the authentication to proceed regardless of the userβs selection. When a user long-presses the notification banner and selecβ¦
7.6
CVE-2024-47879 - OpenRefine's PreviewExpressionCommand, which is eval, lacks protection against cross-site request fβ¦
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contβ¦
9.8
CVE-2024-7763 - WhatsUp Gold getReport Missing Authentication Authentication Bypass Vulnerability
In WhatsUp Gold versions released before 2024.0.0,Β an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials.
8.1
CVE-2024-47878 - Reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL contaβ¦
5.5
CVE-2024-47173 - Aimeos GraphQL API admin interface denial of service vulnerability in SaaS and marketplace setups
Aimeos is an e-commerce framework. All SaaS and marketplace setups using the Aimeos GraphQL API admin interface version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack. Version 2024.07.2 fixes the issue.
7.1
CVE-2024-46998 - baserCMS has a Cross-site Scripting (XSS) Vulnerability in Edit Email Form Settings Feature
baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in the Edit Email Form Settings Feature. Version 5.1.2 fixes the issue.