Volerion logoVolerion
Volerion logoVolerion

ThingsBoard Image Gallery Arbitrary File Upload Vulnerability Allowing Code Execution

Vulnerability

A vulnerability allowing arbitrary file upload has been identified in the Image Gallery feature of ThingsBoard. This issue is present in the Community, Cloud, and Professional editions, all versions through 3.8.1. The vulnerability allows attackers to upload a crafted file that could execute arbitrary code on the server.

Impact

Exploitation of this vulnerability could lead to unauthorized code execution on the server where ThingsBoard is hosted.

Reproduction

To reproduce this vulnerability, log into a low-privileged user account on a ThingsBoard instance. Navigate to the 'Resources' section and select 'Image Gallery'. Upload a malicious image file, such as an SVG containing a JavaScript payload, and note the file's public link. Then, access this link to trigger the payload, which could steal authentication tokens from the user.

Remediation

The ThingsBoard security team has acknowledged this vulnerability and plans to address it in a future release.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
5.0
impact
10.0
exploitability
6.2
remediation
7.7
relevance
0.0
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.