SiYuan Stored Cross-Site Scripting Vulnerability with Remote Code Execution Potential

A stored Cross-Site Scripting (XSS) vulnerability has been identified in SiYuan versions prior to 3.5.4. This vulnerability allows an attacker to inject arbitrary HTML attributes into the 'icon' attribute of a block through the '/api/attr/setBlockAttrs' API. The injected payload is later rendered in the dynamic icon feature without proper sanitization, leading to stored XSS. In the desktop environment, this could escalate to remote code execution (RCE). This vulnerability bypasses a previous fix for a similar issue, allowing the same exploitation vector to be reused.

Impact

Exploitation of this vulnerability causes stored XSS, where injected JavaScript is executed when the affected block is viewed. In the desktop application, this XSS can be escalated to arbitrary command execution using Node/Electron APIs, similar to a previously reported issue.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/attr/setBlockAttrs' endpoint with a block ID and an 'icon' attribute value that includes injected JavaScript, such as an 'onload' event. Once the block is rendered with the dynamic icon feature, the injected script will execute, demonstrating the XSS vulnerability. In the desktop application, this can be escalated to RCE by using JavaScript that calls Node/Electron APIs.

Remediation

Users should update to SiYuan version 3.5.4, which includes a fix for this vulnerability.