CVE-2025-34281 | THREATINT

Description

ThingsBoard versions < 4.2.1 contain a stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient sanitization and improper content-type validation of uploaded SVG files.

PUBLISHED Reserved 2025-04-15 | Published 2025-10-17 | Updated 2025-10-17 | Assigner VulnCheck

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status

unaffected

Any version before 4.2.1

affected

Credits

Tamil Mathi finder

References

github.com/thingsboard/thingsboard/releases/tag/v4.2.1 release-notes patch

github.com/thingsboard/thingsboard/pull/13927 patch

www.vulncheck.com/...sories/thingsboard-svg-image-stored-xss third-party-advisory

cve.org (CVE-2025-34281)

nvd.nist.gov (CVE-2025-34281)

Download JSON