Vulnerabilities > Thingsboard
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-06 | CVE-2023-45303 | Injection vulnerability in Thingsboard ThingsBoard before 3.5 allows Server-Side Template Injection if users are allowed to modify an email template, because Apache FreeMarker supports freemarker.template.utility.Execute (for content sent to the /api/admin/settings endpoint). | 8.8 |
| 2023-03-01 | CVE-2022-45608 | Unspecified vulnerability in Thingsboard 3.4.1 An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on the web application. | 8.8 |
| 2023-02-23 | CVE-2022-48341 | Unspecified vulnerability in Thingsboard 3.4.1 ThingsBoard 3.4.1 could allow a remote authenticated attacker to achieve Vertical Privilege Escalation. | 8.8 |
| 2023-02-23 | CVE-2023-26462 | Use of Hard-coded Credentials vulnerability in Thingsboard 3.4.1 ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. | 8.1 |
| 2022-12-15 | CVE-2022-40004 | Cross-site Scripting vulnerability in Thingsboard 3.4.1 Cross Site Scripting (XSS) vulnerability in Things Board 3.4.1 allows remote attackers to escalate privilege via crafted URL to the Audit Log. | 9.6 |
| 2022-09-13 | CVE-2022-31861 | Cross-site Scripting vulnerability in Thingsboard Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs. | 5.4 |
| 2022-08-12 | CVE-2021-42750 | Cross-site Scripting vulnerability in Thingsboard 3.3.1 A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the title of a rule node. | 4.8 |
| 2022-08-12 | CVE-2021-42751 | Cross-site Scripting vulnerability in Thingsboard 3.3.1 A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the description of a rule node. | 4.8 |
| 2020-12-18 | CVE-2020-27687 | Injection vulnerability in Thingsboard ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. | 8.8 |