Описание
SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.
Ссылки
- Patch
- Issue TrackingPatch
- ExploitVendor AdvisoryPatch
Уязвимые конфигурации
Конфигурация 1Версия до 3.5.4 (исключая)
Одно из
cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
cpe:2.3:a:b3log:siyuan:3.5.4:dev1:*:*:*:*:*:*
EPSS
Процентиль: 8%
0.00028
Низкий
6.1 Medium
CVSS3
Дефекты
CWE-79
Связанные уязвимости
github
22 дня назад
SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload
EPSS
Процентиль: 8%
0.00028
Низкий
6.1 Medium
CVSS3
Дефекты
CWE-79