ThingsBoard before v3.2 is vulnerable to Host header injection in password-reset emails. This allows an malicious user to send malicious links in password-reset emails to victims, pointing to an attacker-controlled server. Lack of validation of the Host header allows this to happen.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
thingsboard thingsboard |