CVE-2025-34281

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-34281

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-34281.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-34281

Published

2025-10-17T19:15:37.197Z

Modified

2025-11-20T12:36:12.250863Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

ThingsBoard versions < 4.2.1 contain a stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient sanitization and improper content-type validation of uploaded SVG files.

References

Affected packages

Git / github.com/thingsboard/thingsboard

Affected ranges

Type: GIT
Repo: https://github.com/thingsboard/thingsboard
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

292e6a36a120c2056a3c19b501d8245d9e6f2db0

Affected versions

v1.*

v1.0

v1.1

v1.2

v1.2.1

v1.2.2

v1.2.3

v1.3

v1.3.1

v2.*

v2.0

v2.0.1

v2.0.2

v2.0.3

v2.1

v2.1.1

v2.1.2

v2.1.3

v2.2

v2.3

v2.4

v2.4.1

v2.4.2

v2.4.2.1

v2.4.3

v2.5

v3.*

v3.4

v4.*

v4.2