CVE-2022-24855: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in metabase metabase
Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint `/_internal` that can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to account takeover. Users are advised to either upgrade immediately, or block access in your firewall to `/_internal` endpoints for Metabase. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8.
AI Analysis
Technical Summary
CVE-2022-24855 is a cross-site scripting (XSS) vulnerability affecting Metabase, an open-source business intelligence and analytics platform widely used for data visualization and dashboarding. The vulnerability stems from improper neutralization of user input during web page generation, specifically within an internal development endpoint located at `/_internal`. This endpoint is shipped with affected versions of Metabase ranging from 0.40.0 up to but not including 0.40.8, 0.41.0 up to 0.41.7, 0.42.0 up to 0.42.4, and their corresponding 1.x versions. The flaw allows an attacker to inject malicious scripts that execute in the context of a victim's browser when they access crafted URLs or pages involving the vulnerable endpoint. Exploitation could lead to phishing attacks, where malicious links appear legitimate, potentially resulting in account takeover if the victim interacts with the payload. The vulnerability does not require authentication to exploit if the endpoint is exposed, increasing the attack surface. Mitigation involves upgrading to patched versions (0.40.8, 0.41.7, 0.42.4 or higher) or blocking access to the `/_internal` endpoint via firewall rules. No known exploits have been reported in the wild as of the publication date, but the presence of an internal endpoint accessible externally can pose a significant risk if left unpatched or unprotected.
Potential Impact
For European organizations using Metabase, this vulnerability poses a risk primarily to the confidentiality and integrity of user accounts and data. Successful exploitation could allow attackers to execute arbitrary scripts in users' browsers, enabling phishing campaigns that may lead to credential theft and unauthorized access to sensitive business intelligence data. This could result in data leakage, manipulation of analytics dashboards, and erosion of trust in internal reporting systems. Given the use of Metabase in sectors such as finance, healthcare, and government, the impact could extend to regulatory non-compliance and reputational damage. The vulnerability's exploitation does not directly affect system availability but can indirectly disrupt operations through compromised user accounts and data integrity. Organizations with publicly accessible Metabase instances or insufficient network segmentation are at higher risk. The medium severity rating reflects the potential for targeted attacks leveraging social engineering combined with this technical flaw.
Mitigation Recommendations
1. Immediate upgrade to the latest patched Metabase versions (0.40.8, 0.41.7, 0.42.4 or newer) to eliminate the vulnerability. 2. If immediate upgrade is not feasible, implement strict firewall rules or web application firewall (WAF) policies to block all external access to the `/_internal` endpoint, ensuring it is only accessible from trusted internal networks. 3. Conduct a thorough audit of Metabase deployment configurations to verify no unintended exposure of internal endpoints exists. 4. Educate users about phishing risks and encourage vigilance when interacting with links related to Metabase dashboards. 5. Monitor logs for unusual access patterns or attempts to reach the `/_internal` endpoint. 6. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within Metabase web pages. 7. Regularly review and update incident response plans to include scenarios involving XSS and phishing attacks targeting business intelligence platforms.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Belgium, Italy, Spain
CVE-2022-24855: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in metabase metabase
Description
Metabase is an open source business intelligence and analytics application. In affected versions Metabase ships with an internal development endpoint `/_internal` that can allow for cross site scripting (XSS) attacks, potentially leading to phishing attempts with malicious links that could lead to account takeover. Users are advised to either upgrade immediately, or block access in your firewall to `/_internal` endpoints for Metabase. The following patches (or greater versions) are available: 0.42.4 and 1.42.4, 0.41.7 and 1.41.7, 0.40.8 and 1.40.8.
AI-Powered Analysis
Technical Analysis
CVE-2022-24855 is a cross-site scripting (XSS) vulnerability affecting Metabase, an open-source business intelligence and analytics platform widely used for data visualization and dashboarding. The vulnerability stems from improper neutralization of user input during web page generation, specifically within an internal development endpoint located at `/_internal`. This endpoint is shipped with affected versions of Metabase ranging from 0.40.0 up to but not including 0.40.8, 0.41.0 up to 0.41.7, 0.42.0 up to 0.42.4, and their corresponding 1.x versions. The flaw allows an attacker to inject malicious scripts that execute in the context of a victim's browser when they access crafted URLs or pages involving the vulnerable endpoint. Exploitation could lead to phishing attacks, where malicious links appear legitimate, potentially resulting in account takeover if the victim interacts with the payload. The vulnerability does not require authentication to exploit if the endpoint is exposed, increasing the attack surface. Mitigation involves upgrading to patched versions (0.40.8, 0.41.7, 0.42.4 or higher) or blocking access to the `/_internal` endpoint via firewall rules. No known exploits have been reported in the wild as of the publication date, but the presence of an internal endpoint accessible externally can pose a significant risk if left unpatched or unprotected.
Potential Impact
For European organizations using Metabase, this vulnerability poses a risk primarily to the confidentiality and integrity of user accounts and data. Successful exploitation could allow attackers to execute arbitrary scripts in users' browsers, enabling phishing campaigns that may lead to credential theft and unauthorized access to sensitive business intelligence data. This could result in data leakage, manipulation of analytics dashboards, and erosion of trust in internal reporting systems. Given the use of Metabase in sectors such as finance, healthcare, and government, the impact could extend to regulatory non-compliance and reputational damage. The vulnerability's exploitation does not directly affect system availability but can indirectly disrupt operations through compromised user accounts and data integrity. Organizations with publicly accessible Metabase instances or insufficient network segmentation are at higher risk. The medium severity rating reflects the potential for targeted attacks leveraging social engineering combined with this technical flaw.
Mitigation Recommendations
1. Immediate upgrade to the latest patched Metabase versions (0.40.8, 0.41.7, 0.42.4 or newer) to eliminate the vulnerability. 2. If immediate upgrade is not feasible, implement strict firewall rules or web application firewall (WAF) policies to block all external access to the `/_internal` endpoint, ensuring it is only accessible from trusted internal networks. 3. Conduct a thorough audit of Metabase deployment configurations to verify no unintended exposure of internal endpoints exists. 4. Educate users about phishing risks and encourage vigilance when interacting with links related to Metabase dashboards. 5. Monitor logs for unusual access patterns or attempts to reach the `/_internal` endpoint. 6. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within Metabase web pages. 7. Regularly review and update incident response plans to include scenarios involving XSS and phishing attacks targeting business intelligence platforms.
Affected Countries
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-02-10T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9843c4522896dcbf2ca4
Added to database: 5/21/2025, 9:09:23 AM
Last enriched: 6/23/2025, 10:49:59 AM
Last updated: 2/7/2026, 10:46:59 AM
Views: 39
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2083: SQL Injection in code-projects Social Networking Site
MediumCVE-2026-2082: OS Command Injection in D-Link DIR-823X
MediumCVE-2026-2080: Command Injection in UTT HiPER 810
HighCVE-2026-2079: Improper Authorization in yeqifu warehouse
MediumCVE-2026-1675: CWE-1188 Initialization of a Resource with an Insecure Default in brstefanovic Advanced Country Blocker
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.