exploitDog

CVE-2025-34282

Опубликовано: 17 окт. 2025

Источник: nvd

CVSS3: 9.1

EPSS Низкий

Описание

ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.

Ссылки

https://github.com/thingsboard/thingsboard/pull/13927
Issue Tracking
https://github.com/thingsboard/thingsboard/releases/tag/v4.2.1
Release Notes
https://www.vulncheck.com/advisories/thingsboard-svg-image-ssrf
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:thingsboard:thingsboard:*:*:*:*:*:*:*:*

Версия до 4.2.1 (исключая)

EPSS

Процентиль: 12%

0.00039

Низкий

9.1 Critical

CVSS3

Дефекты

CWE-918

Связанные уязвимости

GHSA-c4r5-r62q-8988

CVSS3: 9.1

github

4 месяца назад

ThingsBoard versions < 4.2.1 contain a server-side request forgery (SSRF) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload a malicious SVG file that references a remote URL. If the server processes the SVG file in a way that parses external references, it may initiate unintended outbound requests. This can be used to access internal services or resources.

EPSS

Процентиль: 12%

0.00039

Низкий

9.1 Critical

CVSS3

Дефекты

CWE-918