SiYuan Cross-Site Scripting Vulnerability in Bazaar README Rendering Allows Remote Code Execution

A stored cross-site scripting vulnerability has been identified in SiYuan versions 3.6.1 prior to 3.6.3. The issue arises from an incomplete fix for a previous XSS vulnerability, which allowed raw HTML to be embedded in README files for bazaar packages. The Lute HTML sanitizer, while enabled, does not effectively block iframe tags or properly filter srcdoc attributes. This oversight allows a malicious package author to inject an iframe with a srcdoc attribute containing scripts that execute in the Electron context, leading to arbitrary code execution on the user's machine.

Impact

Exploitation of this vulnerability allows for full remote code execution on any affected SiYuan desktop user who views the malicious package README. The injected script executes with full application privileges, enabling the execution of arbitrary commands on the user's machine.

Reproduction

To reproduce this vulnerability, create a GitHub repository with a README file that includes an iframe tag in the Markdown. The iframe's srcdoc attribute should contain a script, such as one that accesses Node.js APIs to execute commands. Once the package is published and viewed in the SiYuan Bazaar, the script will execute, demonstrating the XSS vulnerability and its escalation to remote code execution.

Remediation

Users can update to SiYuan version 3.6.4 or later, where this vulnerability has been fixed.