ThinkDashboard Vulnerability

MEDIUM (5.3) Patch Available Patch
cwe-20cwe-434cwe-79aenrichauthentication-bypassgohr-softwarejavascripttoken-forgery

Threat Intelligence

Low Risk
EPSS Score: 0.09% chance of exploitation (percentile: 26%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. It allows users to import backups of their bookmarks, which can be used to upload arbitrary files to the web application's /data directory. This vulnerability could lead to stored XSS attacks or malware distribution.

Am I affected?

You're affected if you use ThinkDashboard version 0.6.7 or below. To check if your instance is vulnerable, run find / -name "ThinkDashboard*.exe" (Windows) or find / -name "thinkdashboard" (Linux/macOS). If you don't recognize the name, you're probably not affected.

Affected Packages

go: github.com/MatiasDesuu/ThinkDashboard

Affected Products

aEnrich / a+HRD

How to fix

  1. Upgrade to ThinkDashboard version 0.6.8 or later from the official GitHub repository: https://github.com/MatiasDesuu/ThinkDashboard/releases/tag/v0.6.8.
  2. Immediate mitigations:
  3. Restrict network access to your ThinkDashboard instance (firewall it from the public internet).
  4. Audit admin account activity for suspicious access patterns.
  5. Monitor for unauthorized token creation.

References