CVE-2025-3261 | THREATINT

Description

ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting (XSS) vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if the malicious images are embedded in an `iframe` element, during a widget creation, deployed to any page of the platform (e.g., dashboards), and accessed during normal operations. The vulnerability resides in the `ImageController`, which fails to restrict the execution of JavaScript code when an image is loaded by the user's browser. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.

PUBLISHED Reserved 2025-04-04 | Published 2025-11-27 | Updated 2025-11-28 | Assigner Checkmarx

MEDIUM: 6.2CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status

unaffected

Any version before 4.2.1

affected

Credits

João Oliveira from Checkmarx Security Research Group finder

References

advisory.checkmarx.net/advisory/CVE-2025-3261/ third-party-advisory

github.com/...ommit/b2ae6f92d12206ea185a2e882945a6b69234bf03 patch

cve.org (CVE-2025-3261)

nvd.nist.gov (CVE-2025-3261)

Download JSON