Vulnerabilities > CVE-2022-45608 - Unspecified vulnerability in Thingsboard 3.4.1

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

thingsboard

NVD

Published: 2023-03-01

Updated: 2023-05-11

Summary

An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on the web application. It is important to note that in order to accomplish this, the attacker must know the corresponding API's parameter (authority : value).

Vulnerable Configurations

Part	Description	Count
Application	Thingsboard Thingsboard Thingsboard 3.4.1	1

References

http://thingsboard.com
https://wiki.wizard32.net/en/blog/access-control-vulnerability-ThingsBoard