Refine your search
3 vulnerabilities found for by MatiasDesuu
CVE-2025-64177 (GCVE-0-2025-64177)
Vulnerability from cvelistv5
Published
2025-11-06 21:32
Modified
2025-11-06 21:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting (XSS) vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme filtering. This is fixed in version 0.6.8.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MatiasDesuu | ThinkDashboard |
Version: < 0.6.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64177",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:45:00.514212Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:45:13.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ThinkDashboard",
"vendor": "MatiasDesuu",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting (XSS) vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme filtering. This is fixed in version 0.6.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:32:43.236Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MatiasDesuu/ThinkDashboard/security/advisories/GHSA-57f2-rhxm-fjv3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MatiasDesuu/ThinkDashboard/security/advisories/GHSA-57f2-rhxm-fjv3"
},
{
"name": "https://github.com/MatiasDesuu/ThinkDashboard/commit/16976263b22a4b0526b2c7c30294cc099258edae",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MatiasDesuu/ThinkDashboard/commit/16976263b22a4b0526b2c7c30294cc099258edae"
}
],
"source": {
"advisory": "GHSA-57f2-rhxm-fjv3",
"discovery": "UNKNOWN"
},
"title": "ThinkDashboard: Stored XSS in Dashboard via Malicious Bookmark"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64177",
"datePublished": "2025-11-06T21:32:43.236Z",
"dateReserved": "2025-10-28T21:07:16.439Z",
"dateUpdated": "2025-11-06T21:45:13.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64176 (GCVE-0-2025-64176)
Vulnerability from cvelistv5
Published
2025-11-06 21:12
Modified
2025-11-06 21:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web application via the backup import feature. When importing a backup, an attacker can first choose a .zip file to bypass the client-side file-type verification. This could lead to stored XSS, or be used for other nefarious purposes such as malware distribution. This issue is fixed in version 0.6.8.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MatiasDesuu | ThinkDashboard |
Version: < 0.6.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64176",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:31:06.083695Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:31:41.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ThinkDashboard",
"vendor": "MatiasDesuu",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web application via the backup import feature. When importing a backup, an attacker can first choose a .zip file to bypass the client-side file-type verification. This could lead to stored XSS, or be used for other nefarious purposes such as malware distribution. This issue is fixed in version 0.6.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:12:38.265Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MatiasDesuu/ThinkDashboard/security/advisories/GHSA-jvmw-hg62-jr47",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MatiasDesuu/ThinkDashboard/security/advisories/GHSA-jvmw-hg62-jr47"
},
{
"name": "https://github.com/MatiasDesuu/ThinkDashboard/commit/18d2f6aded0d6424cc4c8619731dd20563f4cfd8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MatiasDesuu/ThinkDashboard/commit/18d2f6aded0d6424cc4c8619731dd20563f4cfd8"
}
],
"source": {
"advisory": "GHSA-jvmw-hg62-jr47",
"discovery": "UNKNOWN"
},
"title": "ThinkDashboard: Arbitrary File Upload vulnerability in the Backup Import Feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64176",
"datePublished": "2025-11-06T21:12:38.265Z",
"dateReserved": "2025-10-28T21:07:16.439Z",
"dateUpdated": "2025-11-06T21:31:41.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64327 (GCVE-0-2025-64327)
Vulnerability from cvelistv5
Published
2025-11-06 21:07
Modified
2025-11-06 21:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Versions 0.6.7 and below contain a Blind Server-Side Request Forgery (SSRF) vulnerability, in its `/api/ping?url= endpoint`. This allows an attacker to make arbitrary requests to internal or external hosts. This can include discovering ports open on the local machine, hosts on the local network, and ports open on the hosts on the internal network. This issue is fixed in version 0.6.8.
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MatiasDesuu | ThinkDashboard |
Version: < 0.6.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64327",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T21:29:12.211663Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:29:15.660Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/MatiasDesuu/ThinkDashboard/security/advisories/GHSA-p52r-qq3j-8p78"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ThinkDashboard",
"vendor": "MatiasDesuu",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Versions 0.6.7 and below contain a Blind Server-Side Request Forgery (SSRF) vulnerability, in its `/api/ping?url= endpoint`. This allows an attacker to make arbitrary requests to internal or external hosts. This can include discovering ports open on the local machine, hosts on the local network, and ports open on the hosts on the internal network. This issue is fixed in version 0.6.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T21:07:17.672Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MatiasDesuu/ThinkDashboard/security/advisories/GHSA-p52r-qq3j-8p78",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MatiasDesuu/ThinkDashboard/security/advisories/GHSA-p52r-qq3j-8p78"
},
{
"name": "https://github.com/MatiasDesuu/ThinkDashboard/commit/16976263b22a4b0526b2c7c30294cc099258edae",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MatiasDesuu/ThinkDashboard/commit/16976263b22a4b0526b2c7c30294cc099258edae"
},
{
"name": "https://github.com/MatiasDesuu/ThinkDashboard/releases/tag/0.6.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MatiasDesuu/ThinkDashboard/releases/tag/0.6.8"
}
],
"source": {
"advisory": "GHSA-p52r-qq3j-8p78",
"discovery": "UNKNOWN"
},
"title": "ThinkDashboard: Blind Server-Side Request Forgery (SSRF) vulnerability in /api/ping Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64327",
"datePublished": "2025-11-06T21:07:17.672Z",
"dateReserved": "2025-10-30T17:40:52.028Z",
"dateUpdated": "2025-11-06T21:29:15.660Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}