CVE-2025-34281
MEDIUM5.4EPSS 0.03%ThingsBoard vulnerable to stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature
發布日:2025/10/17修改日:2026/2/10
描述
ThingsBoard versions < 4.2.1 contain a stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient sanitization and improper content-type validation of uploaded SVG files.
受影響套件(1)
- Maven/org.thingsboard:applicationfrom 0, < 4.2.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-34281
- PATCHhttps://github.com/thingsboard/thingsboard
- WEBhttps://advisory.checkmarx.net/advisory/CVE-2025-3261
- WEBhttps://advisory.checkmarx.net/advisory/CVE-2025-34281
- WEBhttps://github.com/thingsboard/thingsboard/commit/b2ae6f92d12206ea185a2e882945a6b69234bf03
- WEBhttps://github.com/thingsboard/thingsboard/pull/13927
- WEBhttps://github.com/thingsboard/thingsboard/releases/tag/v4.2.1
- WEBhttps://www.vulncheck.com/advisories/thingsboard-svg-image-stored-xss