You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
OpenRefine 3.2 (and below) has a XXE vulnerability, that can be triggered through a data import. It is possible to steal data from an OpenRefine user.
Describe the bug
OpenRefine 3.2 (and below) has a XXE vulnerability, that can be triggered through a data import. It is possible to steal data from an OpenRefine user.
Please consider disabling external DTDs.
To Reproduce
See the video (zipped because of GH file extension restrictions) xxe.zip
Current Results
File content is send over FTP, no feedback is shown to the user.
Desktop (please complete the following information):
Tested on (desktop version is not important)
OpenRefine (please complete the following information):
Datasets
ext.dtd
payload.xml
Additonal info
Sorry that i was a bit inactive during the last issue :).
The text was updated successfully, but these errors were encountered: