SiYuan Stored Cross-Site Scripting Vulnerability Allowing Remote Code Execution

A stored cross-site scripting vulnerability has been identified in SiYuan, a personal knowledge management system, prior to version 3.6.2. The issue arises when an attacker places a malicious URL in an Attribute View 'mAsse' field. This URL is then executed as JavaScript when the victim views the Gallery or Kanban with 'Cover From -> Asset Field' enabled. The vulnerability is exacerbated in the Electron desktop client, where the injected script can execute arbitrary operating system commands under the user's account.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, with the injected JavaScript executing in the context of the user on the Electron desktop application. This access includes Node.js APIs, enabling the execution of arbitrary commands on the user's operating system.

Reproduction

To reproduce this vulnerability, first install the SiYuan Electron desktop application. Create a database with an Attribute View that includes an 'mAsset' column. Add a legitimate image to this column, then switch to the Gallery or Kanban view and set the cover source to the 'Asset Field'. Edit the image asset to replace the URL with a crafted payload that includes a JavaScript command, such as one that opens the Calculator application on Windows. Save the change and refresh the view to trigger the execution of the injected script.

Remediation

Users can update to SiYuan version 3.6.2, which addresses this vulnerability.