Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs. Patch details: https://github.com/thingsboard/thingsboard/pull/7385 Audit logs help in establishing accountability of usage among various users of an application. However, if this functionality is not implemented securely, attackers can abuse the implementation flaws to launch attacks against application users. In this blog, we take a look at an XSS vulnerability in the audit logs feature of Thingsboard, an open-source IoT platform, and how it leads to account takeover of admin accounts. This vulnerability can be exploited by an existing lower privileged user of the platform. According to Thingsboard's documentation ( https://thingsboard.io/docs/pe/user-guide/rbac/ ), on the community edition, "a tenant administrator manages devices, dashboards, customers, and other entities that belong to a particular tenant". Each tenant has several customers and as