CVE-2022-45608
HIGHThingsBoard 3.4.1 - Privilege Escalation via Authority Parameter Manipulation
Title source: llmDescription
An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on the web application. It is important to note that in order to accomplish this, the attacker must know the corresponding API's parameter (authority : value).
References (2)
Core 2
Core References
Not Applicable
http://thingsboard.com
Third Party Advisory
https://wiki.wizard32.net/en/blog/access-control-vulnerability-ThingsBoard
Scores
CVSS v3
8.8
EPSS
0.0091
EPSS Percentile
55.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-269
Status
published
Products (1)
thingsboard/thingsboard
3.4.1
Published
Mar 01, 2023
Tracked Since
Feb 18, 2026