CVE-2025-64177

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting (XSS) vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme filtering. This is fixed in version 0.6.8.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/MatiasDesuu/ThinkDashboard/commit/16976263b22a4b0526b2c7c30294cc099258edae	Patch
https://github.com/MatiasDesuu/ThinkDashboard/security/advisories/GHSA-57f2-rhxm-fjv3	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:matiasdesuu:thinkdashboard:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-11-06 22:15

Updated : 2025-11-21 16:34

NVD link : CVE-2025-64177

Mitre link : CVE-2025-64177

CVE.ORG link : CVE-2025-64177

JSON object : View

Products Affected

matiasdesuu

thinkdashboard

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-64177", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2025-11-06T22:15:44.040", "references": [{"url": "https://github.com/MatiasDesuu/ThinkDashboard/commit/16976263b22a4b0526b2c7c30294cc099258edae", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/MatiasDesuu/ThinkDashboard/security/advisories/GHSA-57f2-rhxm-fjv3", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting (XSS) vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme filtering. This is fixed in version 0.6.8."}, {"lang": "es", "value": "ThinkDashboard es un panel de marcadores autoalojado construido con Go y JavaScript puro. En las versiones 0.6.7 e inferiores, existe una vulnerabilidad de cross-site scripting (XSS) almacenado en el panel, que puede ser explotada cuando un usuario hace clic en un marcador malicioso, hecho vulnerable por la falta de filtrado de esquemas. Esto se corrigi\u00f3 en la versi\u00f3n 0.6.8."}], "lastModified": "2025-11-21T16:34:24.037", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:matiasdesuu:thinkdashboard:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "60EB1ECB-DC80-4185-8EB8-1276C74DF6D0", "versionEndExcluding": "0.6.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}