mohan794

Security Advisory: Broken Access Control - ThingsBoard ≤ 4.3.1.1

CVE ID: CVE-2025-70340

---

1. Vulnerability Description

ThingsBoard versions ≤ 4.3.1.1 are affected by a Broken Access Control vulnerability (CWE-284) in the Alarms comments functionality. The issue arises due to insufficient server-side authorization checks on comment-related API endpoints.