Total
8 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-45608 | 1 Thingsboard | 1 Thingsboard | 2023-03-08 | N/A | 8.8 HIGH |
| An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on the web application. It is important to note that in order to accomplish this, the attacker must know the corresponding API's parameter (authority : value). | |||||
| CVE-2022-48341 | 1 Thingsboard | 1 Thingsboard | 2023-03-02 | N/A | 8.8 HIGH |
| ThingsBoard 3.4.1 could allow a remote authenticated attacker to achieve Vertical Privilege Escalation. A Tenant Administrator can obtain System Administrator dashboard access by modifying the scope via the scopes parameter. | |||||
| CVE-2023-26462 | 1 Thingsboard | 1 Thingsboard | 2023-03-02 | N/A | 9.8 CRITICAL |
| ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. (To read this stored data, the attacker needs access to the application server or its source code.) | |||||
| CVE-2022-40004 | 1 Thingsboard | 1 Thingsboard | 2022-12-21 | N/A | 9.6 CRITICAL |
| Cross Site Scripting (XSS) vulnerability in Things Board 3.4.1 allows remote attackers to escalate privilege via crafted URL to the Audit Log. | |||||
| CVE-2022-31861 | 1 Thingsboard | 1 Thingsboard | 2022-09-16 | N/A | 5.4 MEDIUM |
| Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs. | |||||
| CVE-2021-42750 | 1 Thingsboard | 1 Thingsboard | 2022-08-15 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the title of a rule node. | |||||
| CVE-2021-42751 | 1 Thingsboard | 1 Thingsboard | 2022-08-15 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the description of a rule node. | |||||
| CVE-2020-27687 | 1 Thingsboard | 1 Thingsboard | 2021-07-21 | 6.8 MEDIUM | 8.8 HIGH |
| ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. This allows an attacker to send malicious links in password-reset emails to victims, pointing to an attacker-controlled server. Lack of validation of the Host header allows this to happen. | |||||