CVE-2024-3270

Severity CVSS v4.0:

Pending analysis

Type:

CWE-284 Improper Access Control

Publication date:

03/04/2024

Last modified:

07/02/2025

Description

A vulnerability classified as problematic was found in ThingsBoard up to 3.6.2. This vulnerability affects unknown code of the component AdvancedFeature. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-259282 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure and replied to be planning to fix this issue in version 3.7.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L CVSS v3.1 Severity and Metrics:

Base Score: 3.80 LOW
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): Low
Availability (A): Low

Base Score 3.x

3.80

Severity 3.x

LOW

Vector 2.0

AV:N/AC:L/Au:M/C:N/I:P/A:P CVSS v2.0 Severity and Metrics:

Base Score: 4.70 MEDIUM
Vector: AV:N/AC:L/Au:M/C:N/I:P/A:P

Attack Vector (AV): Network
Attack Complexity (AC): Low
Authentication (Au): Multiple
Confidentiality (C): None
Integrity (I): Physical
Availability (A): Physical