Описание
SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session.
Details
The application allows authenticated users to upload files, including .svg images, without sanitizing the input to remove embedded JavaScript code (such as
PoC
- Create a new "Daily note" in the workspace.
- Create a file named test.svg with malicious JavaScript inside:
- Upload a file in current daily note:
- Right-click the uploaded asset in the note.
- Select "Export"
- The JavaScript code executes immediately.
Impact
The vulnerability allows to upload an SVG file containing malicious scripts. When a user exports this file, the embedded arbitrary JavaScript code is executed within their browser context
Notes
Tested version:
Solution
Пакеты
github.com/siyuan-note/siyuan/kernel
< 0.0.0-20260116101155-11115da3d0de
0.0.0-20260116101155-11115da3d0de
Связанные уязвимости
SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.