Skip to main content

Thingsboard CVE-2022-45608

HIGH
Improper Privilege Management (CWE-269)
2023-03-01 cve@mitre.org
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 01, 2023 - 16:15 nvd
HIGH 8.8

DescriptionNVD

An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on the web application. It is important to note that in order to accomplish this, the attacker must know the corresponding API's parameter (authority : value).

AnalysisAI

An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Improper Privilege Management (CWE-269), which allows attackers to escalate privileges to gain unauthorized elevated access. An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on the web application. It is important to note that in order to accomplish this, the attacker must know the corresponding API's parameter (authority : value). Affected products include: Thingsboard.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply principle of least privilege, validate privilege transitions, implement proper role separation.

CVE-2023-45303 HIGH POC
8.8 Oct 06

ThingsBoard before 3.5 allows Server-Side Template Injection if users are allowed to modify an email template, because A

CVE-2020-27687 HIGH POC
8.8 Dec 18

ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. Rated high severity (CVSS 8.8),

CVE-2024-55466 MEDIUM POC
6.5 May 12

An arbitrary file upload vulnerability in the Image Gallery of ThingsBoard Community, ThingsBoard Cloud and ThingsBoard

CVE-2024-3270 MEDIUM POC
6.5 Apr 03

A vulnerability classified as problematic was found in ThingsBoard up to 3.6.2. Rated medium severity (CVSS 6.5), this v

CVE-2024-9358 MEDIUM POC
6.0 Oct 01

A vulnerability has been found in ThingsBoard up to 3.7.0 and classified as problematic. Rated medium severity (CVSS 6.0

CVE-2022-40004 CRITICAL
9.6 Dec 15

Cross Site Scripting (XSS) vulnerability in Things Board 3.4.1 allows remote attackers to escalate privilege via crafted

CVE-2022-31861 MEDIUM POC
5.4 Sep 13

Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs.

CVE-2026-53676 HIGH
8.6 Jun 17

Sandbox escape via prototype pollution in ThingsBoard (versions prior to v4.3.1.2) allows a TENANT_ADMIN-authenticated u

CVE-2023-26462 HIGH
8.1 Feb 23

ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usab

CVE-2025-34282 MEDIUM POC
6.9 Oct 17

SVG-based server-side request forgery in ThingsBoard versions prior to 4.2.1 allows upload of crafted SVG files containi

CVE-2026-9568 LOW
2.3 May 26

Code injection in ThingsBoard 4.3.1.0 and 4.3.1.1 allows remote attackers to embed control characters and shell metachar

Share

CVE-2022-45608 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy