SiYuan Stored Cross-Site Scripting Vulnerability Leading to Remote Code Execution

A stored cross-site scripting vulnerability has been identified in SiYuan versions prior to 3.6.2. This issue allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a .sy document, package it as a .sy.zip, and have the victim import it through the normal 'Import -> SiYuan .sy.zip' workflow. Once the note is opened, the malicious attribute escapes its original HTML context and injects an event handler, resulting in stored cross-site scripting. In the Electron desktop client, this cross-site scripting vulnerability escalates to remote code execution because the injected JavaScript executes with access to Node and Electron APIs.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the application. In the Electron desktop client, this cross-site scripting vulnerability leads to remote code execution, as the executed JavaScript has access to Node and Electron APIs, allowing arbitrary commands to be executed on the victim's machine.

Reproduction

To reproduce this vulnerability, SiYuan Desktop version 3.6.1 must be used. A crafted .sy.zip file is needed, containing a .sy document with a block IAL property that includes a malicious payload, such as an HTML entity mixed with raw special characters, designed to bypass the application's attribute escaping. After importing the .sy.zip file through the application's import feature, the injected JavaScript can be triggered by interacting with the imported note, such as hovering over the affected block, which will execute the JavaScript payload, demonstrating the vulnerability.

Remediation

Users can update to SiYuan version 3.6.2, which addresses this vulnerability.