CVE-2025-64177
📋 TL;DR
ThinkDashboard versions 0.6.7 and below contain a stored XSS vulnerability where malicious bookmarks can execute arbitrary JavaScript when clicked. This affects all users of vulnerable versions who click on specially crafted bookmarks. The vulnerability exists due to insufficient URL scheme filtering.
💻 Affected Systems
- ThinkDashboard
📦 What is this software?
Thinkdashboard by Matiasdesuu
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to phishing sites, perform actions on behalf of authenticated users, or install malware via drive-by downloads.
Likely Case
Session hijacking, credential theft, or redirection to malicious sites when users click on attacker-controlled bookmarks.
If Mitigated
Limited impact with proper Content Security Policy (CSP) headers and user awareness about suspicious bookmarks.
🎯 Exploit Status
Exploitation requires user interaction (clicking a malicious bookmark) and typically requires the attacker to have bookmark creation/modification access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.6.8
Vendor Advisory: https://github.com/MatiasDesuu/ThinkDashboard/security/advisories/GHSA-57f2-rhxm-fjv3
Restart Required: Yes
Instructions:
1. Backup your ThinkDashboard data and configuration. 2. Stop the ThinkDashboard service. 3. Update to version 0.6.8 or later using your package manager or by downloading from GitHub. 4. Restart the ThinkDashboard service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd CSP headers to restrict script execution sources
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration
Disable Bookmark Creation
allTemporarily disable bookmark creation/modification for untrusted users
Modify ThinkDashboard configuration to restrict bookmark management to administrators only
🧯 If You Can't Patch
- Implement strict Content Security Policy headers
- Restrict bookmark creation to trusted administrators only
🔍 How to Verify
Check if Vulnerable:
Check if ThinkDashboard version is 0.6.7 or earlier in the web interface or configuration filesCheck Version:
Check ThinkDashboard web interface or configuration file for version informationVerify Fix Applied:
Confirm version is 0.6.8 or later and test that javascript: URLs in bookmarks no longer execute📡 Detection & Monitoring
Log Indicators:
- Unusual bookmark creation/modification patterns
- Multiple failed login attempts followed by bookmark changes
Network Indicators:
- Outbound connections to unexpected domains after clicking bookmarks
- Suspicious JavaScript payloads in HTTP requests
SIEM Query:
source="thinkdashboard" AND (event="bookmark_created" OR event="bookmark_modified") | stats count by user, bookmark_url