Vulnerability Description
Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint `/_internal` that can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to account takeover. Users are advised to either upgrade immediately, or block access in your firewall to `/_internal` endpoints for Metabase. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Metabase | Metabase | >= 0.40.0, < 0.40.8 |
Related Weaknesses (CWE)
References
- https://github.com/metabase/metabase/releases/tag/v0.42.4Release NotesThird Party Advisory
- https://github.com/metabase/metabase/security/advisories/GHSA-wjw6-wm9w-7ggrRelease NotesThird Party Advisory
- https://github.com/metabase/metabase/releases/tag/v0.42.4Release NotesThird Party Advisory
- https://github.com/metabase/metabase/security/advisories/GHSA-wjw6-wm9w-7ggrRelease NotesThird Party Advisory
FAQ
What is CVE-2022-24855?
CVE-2022-24855 is a vulnerability with a CVSS score of 8.7 (HIGH). Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint `/_internal` that can allow for cross site scripti...
How severe is CVE-2022-24855?
CVE-2022-24855 has been rated HIGH with a CVSS base score of 8.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24855?
Check the references section above for vendor advisories and patch information. Affected products include: Metabase Metabase.