CVE-2023-45303

Name of the Vulnerable Software and Affected Versions ThingsBoard versions prior to 3.5

Description The issue allows Server-Side Template Injection if users are allowed to modify an email template, because Apache FreeMarker supports freemarker.template.utility.Execute for content sent to the /api/admin/settings endpoint.

Recommendations For versions prior to 3.5, update to version 3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the /api/admin/settings endpoint and limiting user permissions to modify email templates until a patch is available.