Vavalomi

**Name of the Vulnerable Software and Affected Versions** Survey Solutions versions prior to 21.09.1 **Description** The issue concerns the Headquarters application of Survey Solutions, a survey management and data collection system. In affected versions, the `/metrics` endpoint is published and available to any user. This endpoint exposes aggregate counters, including the count of interviews or assignments, but does not expose survey answers. **Recommendations** For versions prior to 21.09.1, consider disabling the `/metrics` endpoint to prevent unauthorized access to aggregate counters until a version with the endpoint turned off by default can be implemented.