SiYuan Electron Desktop Client Remote Code Execution Vulnerability via Stored Cross-Site Scripting

A remote code execution vulnerability has been identified in the SiYuan Electron desktop client, prior to version 3.6.4. This issue arises from table caption content being stored without proper escaping, allowing for stored cross-site scripting (XSS) that can be exploited when the note is opened. The vulnerability is particularly severe because the Electron renderer has node integration enabled and context isolation disabled, granting executed JavaScript access to Node.js APIs. An attacker can import a malicious note into a synced workspace, and when the victim opens the note, the embedded JavaScript executes, potentially leading to unauthorized code execution on the victim's machine.

Impact

Exploitation of this vulnerability allows for remote code execution on the victim's machine, within the context of the logged-in user.

Reproduction

To reproduce this vulnerability, first create a malicious note containing a table block with a crafted caption that includes encoded HTML, such as an image tag with an 'onerror' event. Save this note as a .sy.zip file and import it into SiYuan Desktop Client A, which will serve as the attacker's client. Once the note is imported, sync the workspace to upload the note to the shared sync target. Then, on SiYuan Desktop Client B, which will act as the victim's client, sync the workspace to download the note. Finally, open the synced note on Client B, which will trigger the execution of the JavaScript payload embedded in the table caption.

Remediation

Users are advised to update to SiYuan version 3.6.4 or later, where this vulnerability has been fixed.