CVE-2022-24855 Information

Jun 07, 2022 cve

Description

Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint /_internal that can allow for cross site scripting (XSS) attacks potentially leading to phishing attempts with malicious links that could lead to account takeover. Users are advised to either upgrade immediately or block access in your firewall to /_internal endpoints for Metabase. The following patches (or greater versions) are available: 0.42.4 and 1.42.4 0.41.7 and 1.41.7 0.40.8 and 1.40.8.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/metabase/metabase/security/advisories/GHSA-wjw6-wm9w-7ggr https://github.com/metabase/metabase/releases/tag/v0.42.4

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4

Share on: