CVE-2025-21609

Опубликовано: 03 янв. 2025

Источник: nvd

CVSS3: 9.1

EPSS Низкий

Описание

SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the POST /api/history/getDocHistoryContent endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19.

Ссылки

https://github.com/siyuan-note/siyuan/commit/d9887aeec1b27073bec66299a9a4181dc42969f3
Patch
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-8fx8-pffw-w498
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:b3log:siyuan:3.1.18:-:*:*:*:*:*:*

EPSS

Процентиль: 62%

0.00432

Низкий

9.1 Critical

CVSS3

Дефекты

CWE-459

CWE-552

Связанные уязвимости

GHSA-8fx8-pffw-w498

github

около 1 года назад

SiYuan has an arbitrary file deletion vulnerability

SUSE-SU-2025:0060-1

suse-cvrf