ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. This allows an attacker to send malicious links in password-reset emails to victims, pointing to an attacker-controlled server. Lack of validation of the Host header allows this to happen.
CPE | Name | Operator | Version |
---|---|---|---|
thingsboard | eq | 1.3.1 | |
thingsboard | eq | 1.2.1 | |
thingsboard | eq | 2.4 | |
thingsboard | eq | 2.0.1 | |
thingsboard | eq | 1.3 | |
thingsboard | eq | 2.1.2 | |
thingsboard | eq | 2.4.3 | |
thingsboard | eq | 1.1 | |
thingsboard | eq | 2.5 | |
thingsboard | eq | 2.4.2 |