Vulnerabilities > Thingsboard > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-06 | CVE-2023-45303 | Injection vulnerability in Thingsboard ThingsBoard before 3.5 allows Server-Side Template Injection if users are allowed to modify an email template, because Apache FreeMarker supports freemarker.template.utility.Execute (for content sent to the /api/admin/settings endpoint). | 8.8 |
| 2023-03-01 | CVE-2022-45608 | Unspecified vulnerability in Thingsboard 3.4.1 An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on the web application. | 8.8 |
| 2023-02-23 | CVE-2022-48341 | Unspecified vulnerability in Thingsboard 3.4.1 ThingsBoard 3.4.1 could allow a remote authenticated attacker to achieve Vertical Privilege Escalation. | 8.8 |
| 2023-02-23 | CVE-2023-26462 | Use of Hard-coded Credentials vulnerability in Thingsboard 3.4.1 ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. | 8.1 |
| 2020-12-18 | CVE-2020-27687 | Injection vulnerability in Thingsboard ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. | 8.8 |