CVE-2025-64177

Description

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting (XSS) vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme filtering. This is fixed in version 0.6.8.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:matiasdesuu:thinkdashboard:*:*:*:*:*:*:*:* - VULNERABLE

ThinkDashboard <= 0.6.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

javascript:alert(document.cookie)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64177
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64177
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64177/
[4] VulDB https://vuldb.com/cve/CVE-2025-64177
[5] https://github.com/MatiasDesuu/ThinkDashboard/commit/16976263b22a4b0526b2c7c30294cc099258edae
[6] https://github.com/MatiasDesuu/ThinkDashboard/security/advisories/GHSA-57f2-rhxm-fjv3

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64177", "sourceIdentifier": "[email protected]", "published": "2025-11-06T22:15:44.040", "lastModified": "2025-11-21T16:34:24.037", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting (XSS) vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme filtering. This is fixed in version 0.6.8."}, {"lang": "es", "value": "ThinkDashboard es un panel de marcadores autoalojado construido con Go y JavaScript puro. En las versiones 0.6.7 e inferiores, existe una vulnerabilidad de cross-site scripting (XSS) almacenado en el panel, que puede ser explotada cuando un usuario hace clic en un marcador malicioso, hecho vulnerable por la falta de filtrado de esquemas. Esto se corrigió en la versión 0.6.8."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:matiasdesuu:thinkdashboard:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.6.8", "matchCriteriaId": "60EB1ECB-DC80-4185-8EB8-1276C74DF6D0"}]}]}], "references": [{"url": "https://github.com/MatiasDesuu/ThinkDashboard/commit/16976263b22a4b0526b2c7c30294cc099258edae", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/MatiasDesuu/ThinkDashboard/security/advisories/GHSA-57f2-rhxm-fjv3", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}