SiYuan Personal Knowledge Management System Stored Cross-Site Scripting Vulnerability Escalating to Remote Code Execution

A stored cross-site scripting vulnerability has been identified in SiYuan personal knowledge management system, affecting versions through 3.5.9. The issue arises in the mobile file tree component, which processes notebook names from WebSocket events without proper HTML escaping. This flaw allows an authenticated user to inject arbitrary HTML or JavaScript that executes on mobile clients viewing the file tree. The injected JavaScript can leverage Node.js capabilities, leading to remote code execution. Notably, this vulnerability also impacts the desktop version of the application under certain conditions.

Impact

Exploitation of this vulnerability allows for full remote code execution on devices running the SiYuan Electron desktop application or the mobile application, with the injected code having complete access to the operating system.

Reproduction

To reproduce this vulnerability, an authenticated user with the ability to rename notebooks can send a WebSocket event that includes a malicious payload, such as an image tag with an 'onerror' attribute executing JavaScript. Once the event is broadcasted, any mobile client or a desktop client in a narrow window will execute the payload, resulting in arbitrary command execution on the device.

Remediation

Users can update to SiYuan version 3.6.1, which addresses this vulnerability by implementing proper HTML escaping in the mobile file tree component and sanitizing notebook names on the backend.