SiYuan Attribute View Name Stored Cross-Site Scripting Vulnerability Leading to Remote Code Execution

A stored cross-site scripting vulnerability has been identified in SiYuan versions prior to 3.7.0. The issue arises because the application saves Attribute View names without proper HTML escaping. When these names are later rendered and sent to clients via WebSocket, they are consumed by the application without escaping, creating an opportunity for HTML injection. This injection is particularly dangerous because it can be executed as Node.js code in the Electron renderer, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the victim's desktop, with the actions being performed under the user's privileges. The executed code can access sensitive files, including SSH and AWS credentials, and can manipulate startup scripts to maintain persistence. This vulnerability also has a high impact on the application's integrity and availability.

Reproduction

To reproduce this vulnerability, first create an Attribute View in SiYuan v3.6.5. After the AV is created, use the application's API to set the AV name with a payload that includes a script tag (e.g., an image tag with an 'onerror' event). Once the payload is injected, the AV name is stored without escaping. When the document containing the AV is opened, the injected script executes, triggering the 'onerror' event and executing the specified command, such as launching a calculator application.

Remediation

Users can update to SiYuan version 3.7.0 or later, where this vulnerability has been fixed.