Thingsboard 3.3.1 name stored crosssite scripting (xss) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2022-08-09 |
Type : webapps |
Platform : multiple
This exploit / vulnerability Thingsboard 3.3.1 name stored crosssite scripting (xss) is for educational purposes only and if it is used you will do on your own risk!
#Proof-Of-Concept:
When creating a rule node (any) and putting a script payload inside the name of the rule node, it is executed upon hovering above the node within the editor.
#Steps
1. Create a new rule node (via the menu "Rule chains")
2. Put a javascript payload within the name e.g <script>alert('XSS')</script>
3. Save the node
4. Upon hovering above the node within the editor the payload is executed
Thingsboard 3.3.1 name stored crosssite scripting (xss)