Filtered by vendor Thingsboard
Subscribe
Total
9 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-45303 | 1 Thingsboard | 1 Thingsboard | 2024-11-21 | N/A | 8.4 HIGH |
ThingsBoard before 3.5 allows Server-Side Template Injection if users are allowed to modify an email template, because Apache FreeMarker supports freemarker.template.utility.Execute (for content sent to the /api/admin/settings endpoint). | |||||
CVE-2023-26462 | 1 Thingsboard | 1 Thingsboard | 2024-11-21 | N/A | 8.1 HIGH |
ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. (To read this stored data, the attacker needs access to the application server or its source code.) | |||||
CVE-2022-48341 | 1 Thingsboard | 1 Thingsboard | 2024-11-21 | N/A | 8.8 HIGH |
ThingsBoard 3.4.1 could allow a remote authenticated attacker to achieve Vertical Privilege Escalation. A Tenant Administrator can obtain System Administrator dashboard access by modifying the scope via the scopes parameter. | |||||
CVE-2022-45608 | 1 Thingsboard | 1 Thingsboard | 2024-11-21 | N/A | 8.8 HIGH |
An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on the web application. It is important to note that in order to accomplish this, the attacker must know the corresponding API's parameter (authority : value). | |||||
CVE-2022-40004 | 1 Thingsboard | 1 Thingsboard | 2024-11-21 | N/A | 9.6 CRITICAL |
Cross Site Scripting (XSS) vulnerability in Things Board 3.4.1 allows remote attackers to escalate privilege via crafted URL to the Audit Log. | |||||
CVE-2022-31861 | 1 Thingsboard | 1 Thingsboard | 2024-11-21 | N/A | 5.4 MEDIUM |
Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs. | |||||
CVE-2021-42751 | 1 Thingsboard | 1 Thingsboard | 2024-11-21 | N/A | 4.8 MEDIUM |
A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the description of a rule node. | |||||
CVE-2021-42750 | 1 Thingsboard | 1 Thingsboard | 2024-11-21 | N/A | 4.8 MEDIUM |
A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the title of a rule node. | |||||
CVE-2020-27687 | 1 Thingsboard | 1 Thingsboard | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. This allows an attacker to send malicious links in password-reset emails to victims, pointing to an attacker-controlled server. Lack of validation of the Host header allows this to happen. |