12 matches found
ThingsBoard IoT Platform 4.2.0 - Server-Side Request Forgery (SSRF)
Exploit Title: ThingsBoard IoT Platform 4.2.0 - Server-Side Request Forgery SSRF Date: 2026-03-25 Exploit Author: Tamil Mathi T. Vendor Homepage: https://thingsboard.io Software Link: https://github.com/thingsboard/thingsboard Version: . When ThingsBoard processes the uploaded SVG server-side, it...
CVE-2025-34281
ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting XSS vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if t...
EUVD-2025-34907
ThingsBoard versions 4.2.1 contain a stored cross-site scripting XSS vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient...
ThingsBoard vulnerable to stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature
ThingsBoard versions 4.2.1 contain a stored cross-site scripting XSS vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient...
GHSA-FPQ4-R87V-G246 ThingsBoard vulnerable to stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature
ThingsBoard versions 4.2.1 contain a stored cross-site scripting XSS vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient...
CVE-2025-34281
ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting XSS vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if t...
CVE-2025-34282 ThingsBoard < v4.2.1 SVG Image SSRF
ThingsBoard versions 4.2.1 contain a server-side request forgery SSRF vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may...
CVE-2025-34281
ThingsBoard vulnerability CVE-2025-34281 affects pre-4.2.1 releases. An authenticated user can upload malicious SVGs via the Image Gallery, enabling Stored XSS when the image is loaded by a browser (e.g., through public API access or iframe embedding during widget creation/deployment on dashboard...
CVE-2025-34281 Stored Cross-Site Scripting (XSS) in ThingsBoard
ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting XSS vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if t...
CVE-2025-34281 Stored Cross-Site Scripting (XSS) in ThingsBoard
ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting XSS vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if t...
ThingsBoard 安全漏洞
ThingsBoard is a Java-based platform for IOT devices for monitoring, management, and data collection by the ThingsBoard team. A security vulnerability exists in ThingsBoard versions prior to 4.2.1 that stems from a server-side request forgery in the Image Upload Gallery feature of the dashboard,...
PT-2025-42641
Name of the Vulnerable Software and Affected Versions ThingsBoard versions prior to 4.2.1 Description The software contains a stored cross-site scripting XSS issue within the dashboard's Image Upload Gallery feature. An attacker can upload a Scalable Vector Graphics SVG file containing malicious...