Sign-up

ID

VAR-202208-0485


CVE

CVE-2021-42751


TITLE

ThingsBoard, Inc.  of  ThingsBoard  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-020159

DESCRIPTION

A cross-site scripting (XSS) vulnerability in Rule Engine in ThingsBoard 3.3.1 allows remote attackers (with administrative access) to inject arbitrary JavaScript within the description of a rule node. ThingsBoard, Inc. of ThingsBoard Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Thingsboard is a Java-based platform for monitoring, management and data collection of IOT devices by the Thingsboard team. Thingsboard version 3.3.1 has a security vulnerability that can be exploited by an attacker to put a script payload into the name of the rule node when creating the rule node, and it will be executed in the editor. Thingsboard version 3.3.1 suffers from multiple persistent cross site scripting vulnerabilities. #Steps 1. Create a new rule node (via the menu "Rule chains") 2. Put a javascript payload within the description e.g <script>alert('XSS')</script> 3. Save the node 4. #Steps 1. Create a new rule node (via the menu "Rule chains") 2. Put a javascript payload within the name e.g <script>alert('XSS')</script> 3. Save the node 4

Trust: 2.34

sources: NVD: CVE-2021-42751 // JVNDB: JVNDB-2021-020159 // CNNVD: CNNVD-202208-2461 // VULMON: CVE-2021-42751 // PACKETSTORM: 167999

AFFECTED PRODUCTS

vendor:thingsboardmodel:thingsboardscope:eqversion:3.3.1

Trust: 1.8

vendor:thingsboardmodel:thingsboardscope:eqversion: -

Trust: 0.8

vendor:thingsboardmodel:thingsboardscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2021-020159 // NVD: CVE-2021-42751

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2021-42751
value: MEDIUM

Trust: 1.8

CNNVD: CNNVD-202208-2461
value: MEDIUM

Trust: 0.6

NVD:
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.7
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2021-42751
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2021-020159 // NVD: CVE-2021-42751 // CNNVD: CNNVD-202208-2461

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-020159 // NVD: CVE-2021-42751

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202208-2461

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 167999 // CNNVD: CNNVD-202208-2461

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2021-42751

EXTERNAL IDS
db:NVDid:CVE-2021-42751
Trust: 3.4
db:PACKETSTORMid:167999
Trust: 2.6
db:JVNDBid:JVNDB-2021-020159
Trust: 0.8
db:EXPLOIT-DBid:51004
Trust: 0.6
db:CNNVDid:CNNVD-202208-2461
Trust: 0.6
db:VULMONid:CVE-2021-42751
Trust: 0.1
sources:
            
            
            VULMON: CVE-2021-42751 // 
            
            
            
            JVNDB: JVNDB-2021-020159 // 
            
            
            
            PACKETSTORM: 167999 // 
            
            
            
            NVD: CVE-2021-42751 // 
            
            
            
            CNNVD: CNNVD-202208-2461

REFERENCES
url:https://packetstormsecurity.com/files/167999/thingsboard-3.3.1-cross-site-scripting.html
Trust: 3.1
url:https://github.com/thingsboard/thingsboard
Trust: 2.4
url:https://nvd.nist.gov/vuln/detail/cve-2021-42751
Trust: 0.9
url:https://cxsecurity.com/cveshow/cve-2021-42751/
Trust: 0.6
url:https://www.exploit-db.com/exploits/51004
Trust: 0.6
url:https://nvd.nist.gov/vuln/detail/cve-2021-42750
Trust: 0.1
url:https://thingsboard.io/
Trust: 0.1
url:https://github.com/thingsboard/thingsboard/releases/tag/v3.3.1
Trust: 0.1
sources:
            
            
            VULMON: CVE-2021-42751 // 
            
            
            
            JVNDB: JVNDB-2021-020159 // 
            
            
            
            PACKETSTORM: 167999 // 
            
            
            
            NVD: CVE-2021-42751 // 
            
            
            
            CNNVD: CNNVD-202208-2461

CREDITS
Steffen Langenfeld, Sebastian Biehler
Trust: 0.1
sources:
            
            
            PACKETSTORM: 167999

SOURCES
db:VULMONid:CVE-2021-42751
db:JVNDBid:JVNDB-2021-020159
db:PACKETSTORMid:167999
db:NVDid:CVE-2021-42751
db:CNNVDid:CNNVD-202208-2461

LAST UPDATE DATE
2023-12-18T12:15:24.123000+00:00

SOURCES UPDATE DATE
db:JVNDBid:JVNDB-2021-020159date:2023-09-20T08:33:00
db:NVDid:CVE-2021-42751date:2022-08-15T19:03:53.500
db:CNNVDid:CNNVD-202208-2461date:2022-08-16T00:00:00

SOURCES RELEASE DATE
db:JVNDBid:JVNDB-2021-020159date:2023-09-20T00:00:00
db:PACKETSTORMid:167999date:2022-08-08T16:43:08
db:NVDid:CVE-2021-42751date:2022-08-12T17:15:08.627
db:CNNVDid:CNNVD-202208-2461date:2022-08-08T00:00:00