ThingsBoard v4.3.0.1 and potentially earlier versions are vulnerable to an authentication bypass during the OAuth 2.0 authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.
- ThingsBoard v4.2.2.1 and v4.3.1.1 are no longer vulnerable
- Corresponding PR: thingsboard/thingsboard#15120
- Step 1: Sign up