CVE-2022-45608

EUVD-2022-48472
An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on the web application. It is important to note that in order to accomplish this, the attacker must know the corresponding API's parameter (authority : value).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
Affected Products (NVD)
VendorProductVersion
thingsboardthingsboard
3.4.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://thingsboard.com
https://wiki.wizard32.net/en/blog/access-control-vulnerability-ThingsBoard
http://thingsboard.com
https://wiki.wizard32.net/en/blog/access-control-vulnerability-ThingsBoard