GHSA-fqj6-whhx-47p7

Опубликовано: 11 дек. 2024

Источник: github

Github: Прошло ревью

CVSS4: 8.7

Описание

SiYuan has an arbitrary file write in the host via /api/asset/upload

Summary

The /api/asset/upload endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored XSS (via the file write).

Impact

Arbitrary file write

Ссылки

Пакеты

Наименование

github.com/siyuan-note/siyuan/kernel

Затронутые версииВерсия исправления

<= 0.0.0-20241210012039-5129ad926a21

Отсутствует

EPSS

Процентиль: 67%

0.00535

Низкий

8.7 High

CVSS4

CVE ID

CVE-2024-55659

Дефекты

CWE-22

Связанные уязвимости

CVE-2024-55659

CVSS3: 5.4

nvd

около 1 года назад

SiYuan is a personal knowledge management system. Prior to version 3.1.16, the `/api/asset/upload` endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting (via the file write). Version 3.1.16 contains a patch for the issue.

EPSS

Процентиль: 67%

0.00535

Низкий

8.7 High

CVSS4

CVE ID

CVE-2024-55659

Дефекты

CWE-22