ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. It allows users to create and manage bookmarks, but the lack of scheme filtering in its URL validation process makes it vulnerable to stored Cross-Site Scripting (XSS) attacks. An attacker can exploit this vulnerability by creating malicious bookmarks that run arbitrary JavaScript code when clicked.
You're affected if you use ThinkDashboard version 0.6.7 or below. To check if you're running the vulnerable version, run the following command: gomod get thinkdashboard@<version>. If you don't see a matching package, you're likely not affected.
To fix this vulnerability, upgrade to ThinkDashboard version 0.6.8 or later. You can download the latest version from the official GitHub repository: https://github.com/MatiasDesuu/ThinkDashboard/releases. If an immediate upgrade isn't possible, consider the following mitigations: