Impact
Metabase ships with an internal development endpoint /_internal that can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to account takeover.
Mitigation
Either upgrade immediately, or block access in your firewall to /_internal endpoints for Metabase. We have patched versions of Metabase that remove /_internal from production builds.
Patches
The following patches (or greater versions) are available:
- 0.42.4 and 1.42.4
- 0.41.7 and 1.41.7
- 0.40.8 and 1.40.8
Please upgrade immediately if mitigation cannot applied.
All releases are available on https://github.com/metabase/metabase/releases
Credits
Reported by https://github.com/bananabr via security@ email
Impact
Metabase ships with an internal development endpoint
/_internalthat can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to account takeover.Mitigation
Either upgrade immediately, or block access in your firewall to
/_internalendpoints for Metabase. We have patched versions of Metabase that remove/_internalfrom production builds.Patches
The following patches (or greater versions) are available:
Please upgrade immediately if mitigation cannot applied.
All releases are available on https://github.com/metabase/metabase/releases
Credits
Reported by https://github.com/bananabr via security@ email