SiYuan Note Privilege Escalation Vulnerability in Publish Service Allowing Unauthorized Content Modification

A privilege escalation vulnerability has been identified in SiYuan Note versions prior to 3.5.10. This vulnerability allows low-privilege publish accounts (RoleReader) to modify notebook content through the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which is accessible to RoleReader sessions, but lacks stricter authorization checks. As a result, remote authenticated publish users with read-only privileges can append new blocks to existing documents, undermining the integrity of the notes.

Impact

Exploitation of this vulnerability allows authenticated publish users with RoleReader privileges to unauthorizedly modify notebook content. This could lead to tampering with private notes, altering content in published notebooks, and disrupting data integrity. Additionally, there is a possibility of combining this vulnerability with other API endpoints to escalate privileges further.

Reproduction

To reproduce this vulnerability, first enable the publish service and create a low-privilege account with RoleReader access. Next, create a test notebook and document using an admin account. After that, retrieve the ID of a heading block from the document using the low-privilege account. Generate a block DOM with the injected content and append it to the heading block using the vulnerable /api/block/appendHeadingChildren endpoint. Finally, verify the unauthorized modification by checking the block content, which will include the injected text.

Remediation

Users can update to SiYuan Note version 3.5.10 or later to address this vulnerability.