CVE-2023-45303
Description
ThingsBoard before 3.5 contains a server-side template injection vulnerability via Apache FreeMarker in email templates, allowing authenticated admins to execute arbitrary commands on the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ThingsBoard before 3.5 contains a server-side template injection vulnerability via Apache FreeMarker in email templates, allowing authenticated admins to execute arbitrary commands on the server.
Vulnerability
Overview
The vulnerability is a server-side template injection (SSTI) in ThingsBoard versions prior to 3.5. Applications using Apache FreeMarker for email template processing are affected because FreeMarker supports the freemarker.template.utility.Execute class, which can run external commands [1]. An attacker with permission to modify email templates can inject malicious FreeMarker directives into the template content, which is then rendered and executed server-side when an email is sent [2].
Exploitation
Exploitation requires an authenticated user with administrative privileges to modify email templates via the /api/admin/settings endpoint [1]. The attacker inserts a FreeMarker directive like <#assign ex="freemarker.template.utility.Execute"?new()> ${ex("command")} into the template body [2]. When the email is generated and sent, the injected directive executes the specified system command on the ThingsBoard server. This attack is possible because the application does not sanitize or restrict the use of dangerous FreeMarker built-ins in user-controlled template content [3].
Impact
Successful exploitation allows arbitrary command execution on the underlying operating system with the privileges of the ThingsBoard application process. This can lead to full compromise of the server's confidentiality, integrity, and availability, including data exfiltration, installation of persistence, or lateral movement within the network [2]. The CVSS v3 score is 7.5 (High) due to the requirement of high privileges but the potential for severe impact [2].
Mitigation and
Fix
The vendor has fixed this issue in ThingsBoard version 3.5 [1]. Users should upgrade to the patched version immediately. If upgrading is not possible, restrict administrative privileges to trusted personnel only, and ensure that email template modification permissions are tightly controlled. No official workarounds are documented, but disabling the Execute utility in FreeMarker configuration could be considered as an additional hardening measure [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.thingsboard:thingsboardMaven | < 3.5 | 3.5 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing neutralization of FreeMarker template directives in user-modifiable email templates allows server-side template injection."
Attack vector
An attacker who has privileges to modify email templates sends a POST request to `/api/admin/settings` with a `mailTemplates` JSON payload containing a FreeMarker SSTI payload in the `body` field, such as `
Affected code
The vulnerability resides in the email template processing functionality exposed via the `/api/admin/settings` endpoint. ThingsBoard uses Apache FreeMarker to render mail templates, and users with permission to modify these templates (under "White Labeling => Mail Templates") can inject arbitrary FreeMarker directives into the template body [ref_id=1].
What the fix does
The advisory states that the vendor fixed the issue in ThingsBoard version 3.5, released on 2023-05-11 [ref_id=1]. No patch diff is provided in the bundle. The recommended remediation is to define templates statically wherever possible and to sanitize or mask user input before it is inserted into a template, preventing injection of template meta-characters [ref_id=1].
Preconditions
- authAttacker must have a valid session with permission to modify email templates (White Labeling => Mail Templates)
- networkAttacker must be able to send HTTP requests to the ThingsBoard API endpoints /api/admin/settings and /api/admin/settings/testMail
- inputAttacker must supply a crafted FreeMarker SSTI payload in the mail template body
Reproduction
1. Authenticate as a user with permission to modify email templates. 2. Send a POST request to `/api/admin/settings` with a JSON body containing `"key": "mailTemplates"` and a `jsonValue` that includes a template with a FreeMarker command-execution payload in the `body` field, e.g. `
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.