CVE-2025-34281
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-17

Last updated on: 2026-02-10

Assigner: VulnCheck

Description
ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting (XSS) vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if the malicious images are embedded in an `iframe` element, during a widget creation, deployed to any page of the platform (e.g., dashboards), and accessed during normal operations. The vulnerability resides in the `ImageController`, which fails to restrict the execution of JavaScript code when an image is loaded by the user's browser. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-17
Last Modified
2026-02-10
Generated
2026-05-07
AI Q&A
2025-10-17
EPSS Evaluated
2026-05-05
NVD
CVE-2025-34281
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
thingsboard thingsboard to 3.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a stored cross-site scripting (XSS) issue in ThingsBoard versions before 4.2.1. It occurs in the dashboard's Image Upload Gallery feature, where an attacker can upload an SVG file containing malicious JavaScript. Because the system does not properly sanitize or validate the content type of uploaded SVG files, the malicious script can execute when the SVG is displayed in the user interface. [1]


How can this vulnerability impact me? :

An attacker exploiting this vulnerability can execute malicious JavaScript code in the context of the affected application’s user interface. This could lead to actions such as session hijacking, defacement, or other client-side attacks that rely on executing unauthorized scripts. However, according to the CVSS score, it does not directly impact confidentiality, integrity, or availability of the system. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by identifying SVG files uploaded to the ThingsBoard dashboard's Image Upload Gallery feature that contain embedded JavaScript code. Since the issue arises from insufficient sanitization and improper content-type validation of SVG files, inspecting uploaded SVG files for script tags or JavaScript event handlers can help detect exploitation attempts. Specific commands are not provided in the available resources. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade ThingsBoard to version 4.2.1 or later, where this stored XSS vulnerability has been addressed. Until the upgrade is applied, restrict or monitor SVG file uploads to the dashboard's Image Upload Gallery feature to prevent malicious SVG files containing JavaScript from being uploaded and executed. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart