It was reported to us that the default setup of Survey Solutions exposed internal server metrics to any unauthenticated user.
There are no survey answers or questionnaire-specific content affected, but the metrics do include the total number of interviews counter, as well as memory and database space used by the server.
We decided to release a security advisory and advise all users to update to the latest version.
The fix involves simple edit of a setting in appsettings.ini so if you’d prefer to do the change manually instead of running the installer, please find and modify
UseMetricsEndpoint = true
UseMetricsEndpoint = false
in the Survey Solutions\Site\appsettings.ini file, and then restart the app.
Please let us know if you have any questions.
If you would like to discuss this or related issue in private, please write to us at email@example.com