N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-3261

CVE-2025-3261: ThingsBoard allows an authenticated user to upload malicious SVG images

ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting (XSS) vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if the malicious images are embedded in an iframe element, during a widget creation, deployed to any page of the platform (e.g., dashboards), and accessed during normal operations. The vulnerability resides in the ImageController, which fails to restrict the execution of JavaScript code when an image is loaded by the user's browser. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-3261

CVE-2025-3261:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.thingsboard:application	maven	< 4.2.1	4.2.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows authenticated users to upload malicious SVG images, leading to a stored Cross-Site Scripting (XSS) vulnerability. The provided commit b2ae6f92d12206ea185a2e882945a6b69234bf03 directly addresses this issue. The patch modifies the downloadIfChanged method within the ImageController.java file. Specifically, it adds a Content-Security-Policy header with the value default-src 'none' to the HTTP response when an image is served. This change prevents the browser from executing any embedded scripts within the SVG file, thus neutralizing the XSS threat. The location of the patch pinpoints org.thingsboard.server.controller.ImageController.downloadIfChanged as the function responsible for serving the vulnerable content without proper security controls.

Vulnerable functions

org.thingsboard.server.controller.ImageController.downloadIfChanged

application/src/main/java/org/thingsboard/server/controller/ImageController.java

The `downloadIfChanged` function in `ImageController` was vulnerable to a stored XSS attack. It served user-uploaded SVG images without a Content-Security-Policy header. This allowed malicious JavaScript embedded within an SVG image to be executed by the victim's browser when the image was viewed. The patch mitigates this by adding a restrictive `Content-Security-Policy` header, preventing script execution.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-3261: ThingsBoard allows an authenticated user to upload malicious SVG images

CVE-2025-3261:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-3261: ThingsBoard allows an authenticated user to upload malicious SVG images

Technical Details

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI