Headline
GHSA-pcjq-j3mq-jv5j: SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session.
Details
The application allows authenticated users to upload files, including .svg images, without sanitizing the input to remove embedded JavaScript code (such as <script> tags or event handlers).
PoC
- Create a new “Daily note” in the workspace. <img width="1287" height="572" alt="image" src="https://github.com/user-attachments/assets/3a4389b9-695d-4e1b-94dc-72efdb047aa9" />
- Create a file named test.svg with malicious JavaScript inside:
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" viewBox="0 0 124 124" fill="none">
<rect width="124" height="124" rx="24" fill="red"/>
<script type="text/javascript">
alert(window.origin);
</script>
</svg>
- Upload a file in current daily note: <img width="1617" height="316" alt="image" src="https://github.com/user-attachments/assets/6e14318a-08ec-48e5-b278-9174ad17cfcb" /> <img width="1482" height="739" alt="image" src="https://github.com/user-attachments/assets/95c996e8-5591-436a-9467-ab56c9ffbde0" /> <img width="1321" height="548" alt="image" src="https://github.com/user-attachments/assets/249fb187-3caa-4372-a9c9-56dfda6b8a8f" />
- Open the file:
- Right-click the uploaded asset in the note.
- Select “Export” <img width="934" height="718" alt="image" src="https://github.com/user-attachments/assets/ec943dfa-92ba-47f6-8b1e-56e53f1b0ca6" />
- The JavaScript code executes immediately. <img width="1033" height="632" alt="image" src="https://github.com/user-attachments/assets/a1611291-d333-4f8e-9da9-62104aaa1bdd" /> <img width="1381" height="641" alt="image" src="https://github.com/user-attachments/assets/d5018203-dbd0-4285-8702-8cb3e7c5cd07" />
Impact
The vulnerability allows to upload an SVG file containing malicious scripts. When a user exports this file, the embedded arbitrary JavaScript code is executed within their browser context
Notes
Tested version: <img width="1440" height="534" alt="image" src="https://github.com/user-attachments/assets/a62271e4-6850-4f59-be88-c4f8055429c0" />
Solution
https://github.com/siyuan-note/siyuan/issues/16844
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session.
Details
The application allows authenticated users to upload files, including .svg images, without sanitizing the input to remove embedded JavaScript code (such as <script> tags or event handlers).
PoC
- Create a new “Daily note” in the workspace.
2. Create a file named test.svg with malicious JavaScript inside:
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" viewBox="0 0 124 124" fill="none">
<rect width="124" height="124" rx="24" fill="red"/>
<script type="text/javascript">
alert(window.origin);
</script>
</svg>
- Upload a file in current daily note:
4. Open the file:
- Right-click the uploaded asset in the note.
- Select “Export”
5. The JavaScript code executes immediately.
Impact
The vulnerability allows to upload an SVG file containing malicious scripts. When a user exports this file, the embedded arbitrary JavaScript code is executed within their browser context
Notes
Tested version:
Solution
siyuan-note/siyuan#16844
References
- GHSA-pcjq-j3mq-jv5j
- siyuan-note/siyuan#16844
- siyuan-note/siyuan@11115da