SiYuan Desktop Notification XSS Vulnerability Leading to Remote Code Execution

A vulnerability in SiYuan desktop versions prior to 3.6.5 allows for cross-site scripting (XSS) in notifications, which can be exploited to execute arbitrary code on the user's desktop. The issue arises because the application renders notification messages as raw HTML in an Electron environment with Node integration enabled, context isolation disabled, and web security turned off. This configuration allows injected JavaScript to access Node APIs and escalate to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the desktop, with potential access to local notes, secrets, and stored tokens or credentials. It also enables persistence by writing files into the user profile or workspace.

Reproduction

To reproduce this vulnerability, upload a payload to the notification API that includes JavaScript code. The payload will be inserted into the DOM as HTML, executing the JavaScript in the Electron renderer. Since Node integration is enabled, the injected code can access local OS functionality, such as executing commands or opening applications like the calculator.

Remediation

Users can update to SiYuan version 3.6.5 or later to address this vulnerability.