Skip to content

Commit bde0712

Browse files
advisory-database[bot]advisory-database[bot]
committed
1 parent 122e197 commit bde0712

File tree

1 file changed

+30
-5
lines changed

1 file changed

+30
-5
lines changed

advisories/unreviewed/2025/10/GHSA-fpq4-r87v-g246/GHSA-fpq4-r87v-g246.json renamed to advisories/github-reviewed/2025/10/GHSA-fpq4-r87v-g246/GHSA-fpq4-r87v-g246.json

Lines changed: 30 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,12 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-fpq4-r87v-g246",
4-
"modified": "2026-02-10T18:30:32Z",
4+
"modified": "2026-02-10T21:33:09Z",
55
"published": "2025-10-17T21:31:17Z",
66
"aliases": [
77
"CVE-2025-34281"
88
],
9+
"summary": "ThingsBoard vulnerable to stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature",
910
"details": "ThingsBoard versions < 4.2.1 contain a stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient sanitization and improper content-type validation of uploaded SVG files.",
1011
"severity": [
1112
{
@@ -14,10 +15,30 @@
1415
},
1516
{
1617
"type": "CVSS_V4",
17-
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "Maven",
25+
"name": "org.thingsboard:application"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "0"
33+
},
34+
{
35+
"fixed": "4.2.1"
36+
}
37+
]
38+
}
39+
]
1840
}
1941
],
20-
"affected": [],
2142
"references": [
2243
{
2344
"type": "ADVISORY",
@@ -39,6 +60,10 @@
3960
"type": "WEB",
4061
"url": "https://advisory.checkmarx.net/advisory/CVE-2025-34281"
4162
},
63+
{
64+
"type": "PACKAGE",
65+
"url": "https://github.com/thingsboard/thingsboard"
66+
},
4267
{
4368
"type": "WEB",
4469
"url": "https://github.com/thingsboard/thingsboard/releases/tag/v4.2.1"
@@ -53,8 +78,8 @@
5378
"CWE-79"
5479
],
5580
"severity": "MODERATE",
56-
"github_reviewed": false,
57-
"github_reviewed_at": null,
81+
"github_reviewed": true,
82+
"github_reviewed_at": "2026-02-10T21:33:09Z",
5883
"nvd_published_at": "2025-10-17T19:15:37Z"
5984
}
6085
}

0 commit comments

Comments
 (0)