Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Thingsboard Security Vulnerabilities

cve
cve

CVE-2023-45303

ThingsBoard before 3.5 allows Server-Side Template Injection if users are allowed to modify an email template, because Apache FreeMarker supports freemarker.template.utility.Execute (for content sent to the /api/admin/settings...

8.8CVSS

8.7AI Score

0.001EPSS

2023-10-06 07:15 PM
31
cve
cve

CVE-2023-26462

ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. (To read this stored data, the attacker needs access to the application server or its source...

8.1CVSS

8.1AI Score

0.003EPSS

2023-02-23 06:15 AM
15
cve
cve

CVE-2022-45608

An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on the web application. It is important to note that in order to accomplish this, the attacker must know....

8.8CVSS

8.6AI Score

0.001EPSS

2023-03-01 04:15 PM
26
cve
cve

CVE-2022-48341

ThingsBoard 3.4.1 could allow a remote authenticated attacker to achieve Vertical Privilege Escalation. A Tenant Administrator can obtain System Administrator dashboard access by modifying the scope via the scopes...

8.8CVSS

8.2AI Score

0.002EPSS

2023-02-23 06:15 AM
15
cve
cve

CVE-2022-40004

Cross Site Scripting (XSS) vulnerability in Things Board 3.4.1 allows remote attackers to escalate privilege via crafted URL to the Audit...

9.6CVSS

8.5AI Score

0.002EPSS

2022-12-15 11:15 PM
44
cve
cve

CVE-2022-31861

Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit...

5.4CVSS

5.1AI Score

0.001EPSS

2022-09-13 10:15 PM
30
5
cve
cve

CVE-2021-42750

A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the title of a rule...

4.8CVSS

4.8AI Score

0.001EPSS

2022-08-12 05:15 PM
34
9
cve
cve

CVE-2021-42751

A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the description of a rule...

4.8CVSS

4.8AI Score

0.001EPSS

2022-08-12 05:15 PM
34
9
cve
cve

CVE-2020-27687

ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. This allows an attacker to send malicious links in password-reset emails to victims, pointing to an attacker-controlled server. Lack of validation of the Host header allows this to...

8.8CVSS

8.7AI Score

0.003EPSS

2020-12-18 07:15 PM
26