CVE-2022-24855

Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint `/_internal` that can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to account takeover. Users are advised to either upgrade immediately, or block access in your firewall to `/_internal` endpoints for Metabase. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8.
References
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*

History

22 Apr 2022, 18:44

Type Values Removed Values Added
References (CONFIRM) https://github.com/metabase/metabase/security/advisories/GHSA-wjw6-wm9w-7ggr - (CONFIRM) https://github.com/metabase/metabase/security/advisories/GHSA-wjw6-wm9w-7ggr - Release Notes, Third Party Advisory
References (MISC) https://github.com/metabase/metabase/releases/tag/v0.42.4 - (MISC) https://github.com/metabase/metabase/releases/tag/v0.42.4 - Release Notes, Third Party Advisory
CPE cpe:2.3:a:metabase:metabase:*:*:*:*:*:*:*:*
First Time Metabase metabase
Metabase
CVSS v2 : unknown
v3 : unknown
v2 : 3.5
v3 : 5.4

14 Apr 2022, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-04-14 22:15

Updated : 2023-12-10 14:22


NVD link : CVE-2022-24855

Mitre link : CVE-2022-24855

CVE.ORG link : CVE-2022-24855


JSON object : View

Products Affected

metabase

  • metabase
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')