SiYuan Bazaar Unescaped Metadata Vulnerability Leading to Stored Cross-Site Scripting and Electron Code Execution

A stored cross-site scripting vulnerability has been identified in SiYuan versions prior to 3.7.0. The issue arises in the Bazaar marketplace, where the 'name' and 'version' fields of a package's metadata are rendered into the user interface without proper HTML escaping. This flaw allows for the injection of malicious HTML, which is executed when a user accesses the marketplace tab. The vulnerability is exacerbated by the fact that the SiYuan desktop client is built on Electron with certain security features disabled, enabling the execution of arbitrary operating system commands under the user's account.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected malicious HTML is executed when the marketplace tab is opened. In the Electron desktop client, this cross-site scripting vulnerability can be escalated to execute arbitrary operating system commands under the user's account, with full access to the filesystem and network via Node.js APIs.

Reproduction

The vulnerability can be reproduced by uploading a malicious plugin manifest to the SiYuan Bazaar marketplace. This manifest should include unescaped HTML in the 'name' field, such as an image tag with an 'onerror' event. Once the plugin is installed, the marketplace card will render the 'name' field as a normal-looking entry, but the injected HTML will be executed in the background. In the Electron client, this can be further exploited by replacing the 'onerror' payload with a Node.js API call, such as executing a command to open a system application like Calculator.

Remediation

Users can update to SiYuan version 3.7.0 or later, where this vulnerability has been fixed.