Vulnerabilities > Thingsboard

DATE CVE VULNERABILITY TITLE RISK
2023-10-06 CVE-2023-45303 Injection vulnerability in Thingsboard
ThingsBoard before 3.5 allows Server-Side Template Injection if users are allowed to modify an email template, because Apache FreeMarker supports freemarker.template.utility.Execute (for content sent to the /api/admin/settings endpoint).
network
low complexity
thingsboard CWE-74
8.8
8.8
2023-03-01 CVE-2022-45608 Unspecified vulnerability in Thingsboard 3.4.1
An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on the web application.
network
low complexity
thingsboard
8.8
8.8
2023-02-23 CVE-2022-48341 Unspecified vulnerability in Thingsboard 3.4.1
ThingsBoard 3.4.1 could allow a remote authenticated attacker to achieve Vertical Privilege Escalation.
network
low complexity
thingsboard
8.8
8.8
2023-02-23 CVE-2023-26462 Use of Hard-coded Credentials vulnerability in Thingsboard 3.4.1
ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format.
network
high complexity
thingsboard CWE-798
8.1
8.1
2022-12-15 CVE-2022-40004 Cross-site Scripting vulnerability in Thingsboard 3.4.1
Cross Site Scripting (XSS) vulnerability in Things Board 3.4.1 allows remote attackers to escalate privilege via crafted URL to the Audit Log.
network
low complexity
thingsboard CWE-79
critical
 9.6
9.6
2020-12-18 CVE-2020-27687 Injection vulnerability in Thingsboard
ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. 		6.8
6.8