Page 2 of 7 results (0.005 seconds)

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1

The url parameter of the /api/geojson endpoint in Metabase versions <44.5 can be used to perform Server Side Request Forgery attacks. Previously implemented blacklists could be circumvented by leveraging 301 and 302 redirects. El parámetro url del endpoint /api/geojson en Metabase versiones anteriores a 44.5, puede ser usado para llevar a cabo ataques de tipo Server Side Request Forgery. Las listas negras implementadas anteriormente podían ser omitidas aprovechando los redireccionamientos 301 y 302 • https://www.tenable.com/security/research/tra-2022-34 • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting vulnerability in Metabase version 0.29.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad Cross-Site Scripting (XSS) en Metabase, en versiones 0.29.3 y anteriores, permite que los atacantes remotos inyecten scripts web o HTML arbitrarios utilizando vectores no especificados. • http://jvn.jp/en/jp/JVN14323043/index.html https://metabase.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •