Get Rid of Ads!

Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at

# Exploit Title: ThingsBoard 3.3.1 - Stored Cross-Site Scripting (XSS) within the description of a rule node
# Date: 03/08/2022
# Exploit Author: Steffen Langenfeld & Sebastian Biehler# Date: 03/08/2022
# Exploit Author: Steffen Langenfeld & Sebastian Biehler
# Vendor Homepage:
# Software Link:
# Version: 3.3.1
# Tested on: [relevant os]
# CVE : CVE-2021-42751
# Tested on: Linux

When creating a rule node (any) and putting a script payload inside the description of the rule node, it is executed upon hovering above the node within the editor.


1. Create a new rule node (via the menu "Rule chains")
2. Put a javascript payload within the description e.g <script>alert('XSS')</script>
3. Save the node
4. Upon hovering above the node within the editor the payload is executed# Exploit Title: ThingsBoard 3.3.1 - Stored Cross-Site Scripting (XSS) within the name of a rule node


# Date: 03/08/2022
# Exploit Author: Steffen Langenfeld & Sebastian Biehler
# Vendor Homepage:
# Software Link:
# Version: 3.3.1
# CVE : CVE-2021-42750
# Tested on: Linux

When creating a rule node (any) and putting a script payload inside the name of the rule node, it is executed upon hovering above the node within the editor.


1. Create a new rule node (via the menu "Rule chains")
2. Put a javascript payload within the name e.g <script>alert('XSS')</script>
3. Save the node
4. Upon hovering above the node within the editor the payload is executed