SiYuan Knowledge Management System Access Control Vulnerability in Tag API Endpoint

A vulnerability exists in SiYuan personal knowledge management system versions prior to 3.7.0, specifically in the POST /api/tag/getTag endpoint. The issue arises from inadequate access control, as the endpoint only requires authentication but neglects administrative and read-only checks. This oversight allows any authenticated user, including those with RoleReader and RoleEditor accounts in read-only workspaces, to manipulate the tag sorting configuration. The vulnerability is exacerbated by the fact that the configuration change is saved to the entire workspace's configuration file, potentially overwriting other users' settings.

Impact

Exploitation of this vulnerability allows unauthorized modification of the tag sorting order, with changes being saved to the workspace's configuration file. This not only disrupts the intended sorting functionality but also poses a risk of overwriting other users' configuration settings, creating a time-of-check-to-time-of-use vulnerability on the global configuration object.

Reproduction

To reproduce this vulnerability, authenticate as any user role that passes the CheckAuth requirement, such as an admin. Then, send a POST request to the /api/tag/getTag endpoint with a sort argument to change the Conf.Tag.Sort value. After the request is processed, the new sort value can be confirmed by checking the workspace's configuration file, where the change will be reflected.

Remediation

Users should update to SiYuan version 3.7.0 or later, where this vulnerability has been fixed.