Vulnerability Details CVE-2025-34281
ThingsBoard versions < 4.2.1 contain a stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient sanitization and improper content-type validation of uploaded SVG files.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 15.2%
CVSS Severity
CVSS v3 Score 5.4
References
Products affected by CVE-2025-34281
-
cpe:2.3:a:thingsboard:thingsboard:1.0
-
cpe:2.3:a:thingsboard:thingsboard:1.0.1
-
cpe:2.3:a:thingsboard:thingsboard:1.0.2
-
cpe:2.3:a:thingsboard:thingsboard:1.0.3
-
cpe:2.3:a:thingsboard:thingsboard:1.1
-
cpe:2.3:a:thingsboard:thingsboard:1.2
-
cpe:2.3:a:thingsboard:thingsboard:1.2.1
-
cpe:2.3:a:thingsboard:thingsboard:1.2.2
-
cpe:2.3:a:thingsboard:thingsboard:1.2.3
-
cpe:2.3:a:thingsboard:thingsboard:1.3
-
cpe:2.3:a:thingsboard:thingsboard:1.3.1
-
cpe:2.3:a:thingsboard:thingsboard:1.4
-
cpe:2.3:a:thingsboard:thingsboard:2.0
-
cpe:2.3:a:thingsboard:thingsboard:2.0.1
-
cpe:2.3:a:thingsboard:thingsboard:2.0.2
-
cpe:2.3:a:thingsboard:thingsboard:2.0.3
-
cpe:2.3:a:thingsboard:thingsboard:2.1
-
cpe:2.3:a:thingsboard:thingsboard:2.1.1
-
cpe:2.3:a:thingsboard:thingsboard:2.1.2
-
cpe:2.3:a:thingsboard:thingsboard:2.1.3
-
cpe:2.3:a:thingsboard:thingsboard:2.2
-
cpe:2.3:a:thingsboard:thingsboard:2.3
-
cpe:2.3:a:thingsboard:thingsboard:2.3.1
-
cpe:2.3:a:thingsboard:thingsboard:2.4
-
cpe:2.3:a:thingsboard:thingsboard:2.4.1
-
cpe:2.3:a:thingsboard:thingsboard:2.4.2
-
cpe:2.3:a:thingsboard:thingsboard:2.4.2.1
-
cpe:2.3:a:thingsboard:thingsboard:2.4.3
-
cpe:2.3:a:thingsboard:thingsboard:2.5
-
cpe:2.3:a:thingsboard:thingsboard:2.5.1
-
cpe:2.3:a:thingsboard:thingsboard:2.5.2
-
cpe:2.3:a:thingsboard:thingsboard:2.5.3
-
cpe:2.3:a:thingsboard:thingsboard:2.5.4
-
cpe:2.3:a:thingsboard:thingsboard:2.5.5
-
cpe:2.3:a:thingsboard:thingsboard:3.0
-
cpe:2.3:a:thingsboard:thingsboard:3.0.1
-
cpe:2.3:a:thingsboard:thingsboard:3.1
-
cpe:2.3:a:thingsboard:thingsboard:3.1.1
-
cpe:2.3:a:thingsboard:thingsboard:3.2
-
cpe:2.3:a:thingsboard:thingsboard:3.3
-
cpe:2.3:a:thingsboard:thingsboard:3.3.1
-
cpe:2.3:a:thingsboard:thingsboard:3.3.2
-
cpe:2.3:a:thingsboard:thingsboard:3.3.3
-
cpe:2.3:a:thingsboard:thingsboard:3.3.4
-
cpe:2.3:a:thingsboard:thingsboard:3.3.4.1
-
cpe:2.3:a:thingsboard:thingsboard:3.4
-
cpe:2.3:a:thingsboard:thingsboard:3.4.1
-
cpe:2.3:a:thingsboard:thingsboard:3.4.2
-
cpe:2.3:a:thingsboard:thingsboard:3.4.3
-
cpe:2.3:a:thingsboard:thingsboard:3.4.4
-
cpe:2.3:a:thingsboard:thingsboard:3.5
-
cpe:2.3:a:thingsboard:thingsboard:3.5.1
-
cpe:2.3:a:thingsboard:thingsboard:3.6
-
cpe:2.3:a:thingsboard:thingsboard:3.6.1
-
cpe:2.3:a:thingsboard:thingsboard:3.6.2
-
cpe:2.3:a:thingsboard:thingsboard:3.6.3
-
cpe:2.3:a:thingsboard:thingsboard:3.6.4
-
cpe:2.3:a:thingsboard:thingsboard:3.7
-
cpe:2.3:a:thingsboard:thingsboard:3.8
-
cpe:2.3:a:thingsboard:thingsboard:3.8.1
-
cpe:2.3:a:thingsboard:thingsboard:3.9
-
cpe:2.3:a:thingsboard:thingsboard:3.9.1
-
cpe:2.3:a:thingsboard:thingsboard:4.0
-
cpe:2.3:a:thingsboard:thingsboard:4.0.1
-
cpe:2.3:a:thingsboard:thingsboard:4.0.2
-
cpe:2.3:a:thingsboard:thingsboard:4.1
-
cpe:2.3:a:thingsboard:thingsboard:4.2