SiYuan Tooltip XSS Vulnerability Leading to Remote Code Execution

A vulnerability in SiYuan, an open-source personal knowledge management system, allows for remote code execution through a tooltip mouseover handler. This issue is present in versions prior to 3.7.0. The vulnerability arises because the 'escapeAriaLabel' function only encodes certain HTML special characters, leaving URL-escapes intact. As a result, a document title containing a crafted image tag with an 'onerror' attribute can bypass the encoding, and when the tooltip is rendered, the HTML parser executes the JavaScript payload. The Electron renderer's security settings allow this injected code to access Node.js functionalities, leading to arbitrary code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the victim's desktop, triggered by hovering over a search result or any other element with a class of 'ariaLabel' that contains attacker-controlled metadata. This vulnerability also has a high impact on confidentiality, integrity, and availability.

Reproduction

The vulnerability can be reproduced by creating a document in SiYuan v3.6.5 with a title that includes a URL-encoded image tag containing JavaScript code in the 'onerror' attribute. After renaming the document to include the payload, hovering over the document in the search results triggers the execution of the JavaScript code, demonstrating the cross-site scripting vulnerability. This issue can also be reproduced by importing a SiYuan '.sy.zip' file containing the malicious payload, or through a compromised browser extension that interacts with the SiYuan application.

Remediation

Users can update to SiYuan version 3.7.0, where this vulnerability has been fixed.