We have identified a security vulnerability in Metric Insights (MI) that will be remediated in v6.4.4, and is available as a patch for all actively supported versions of MI.

The vulnerability refers to a MITM (man-in-the-middle) attack where a POST call to the web container can be intercepted and re-used to overwrite an MI user's email address. This vulnerability can only be exploited under these specific conditions:

• The bad actor must be in your network.
• The bad actor must have administrative user access to the MI web interface.
• The bad actor must be able to convince an administrative user to allow self-signed SSL certificate to be used in their browser.
• The bad actor is able to set up a proxy server of any kind within the MI environment that will allow them to intercept the requests from the user's browser to the backend MI web container.

All the above mentioned conditions must be met to perform the attack. Potentially, if an administrative user is the bad actor themselves, they will already have access to the MI application to change or manipulate any user information in the system.

To prevent this exploit, all users must not allow self-signed SSL certificates under any circumstances in their browser.

On the MI application side, we can prepared a patch for your current version of MI if it belongs with the 5 latest supported versions (6.3.5+). Send an email to [email protected] if you've still not received the patch from us.