Home

Description

EN DE

A vulnerability was detected in ThingsBoard 4.1. This vulnerability affects unknown code of the component Add Gateway Handler. The manipulation leads to improper neutralization of special elements used in a template engine. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor replies, that "[t]he fix will come within upcoming release (v4.2) and will be inherited by maintenance releases of LTS versions (starting 4.0)."

Eine Schwachstelle wurde in ThingsBoard 4.1 gefunden. Das betrifft eine unbekannte Funktionalität der Komponente Add Gateway Handler. Durch Manipulieren mit unbekannten Daten kann eine improper neutralization of special elements used in a template engine-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.

PUBLISHED Reserved 2025-08-17 | Published 2025-08-17 | Updated 2025-08-18 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C
MEDIUM: 4.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C
4.0AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:C

Problem types

Improper Neutralization of Special Elements Used in a Template Engine

Incomplete Filtering of Special Elements

Timeline

2025-08-17:Advisory disclosed
2025-08-17:VulDB entry created
2025-08-17:VulDB entry last update

Credits

xhalyl (VulDB User) reporter

References

vuldb.com/?id.320416 (VDB-320416 | ThingsBoard Add Gateway special elements used in a template engine) vdb-entry

vuldb.com/?ctiid.320416 (VDB-320416 | CTI Indicators (IOB, IOC, TTP)) signature permissions-required

vuldb.com/?submit.626292 (Submit #626292 | ThingsBoard ThingsBoard IoT Platform 4.1.0 Stored Client-Side Template Injection (CSTI)) third-party-advisory

drive.google.com/...d/1cZy-rfQXsF58kJIVs4UXj7usXJuhjZjA/view broken-link exploit

cve.org (CVE-2025-9094)

nvd.nist.gov (CVE-2025-9094)

Download JSON