CVE-2025-34282

Medium CVSS: 6.9

ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.

Vendor

Thingsboard

Product

Thingsboard

CWE

CWE-918

Yayın Tarihi

2025-10-17 19:15:37

Güncelleme

2025-10-24 13:43:12

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-918 Thingsboard MEDIUM Thingsboard 2025

Referanslar

https://github.com/thingsboard/thingsboard/pull/13927 https://github.com/thingsboard/thingsboard/releases/tag/v4.2.1 https://www.vulncheck.com/advisories/thingsboard-svg-image-ssrf

Benzer Kayıtlar

Medium

CVE-2025-34281

ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Galle…

Medium

CVE-2025-9094

A vulnerability was detected in ThingsBoard 4.1. This vulnerability affects unknown code of the component Add Gateway Ha…

Medium

CVE-2024-55466

An arbitrary file upload vulnerability in the Image Gallery of ThingsBoard Community, ThingsBoard Cloud and ThingsBoard…