Assigner | Fluid Attacks |
Reserved | 2024-03-19 |
Published | 2024-04-04 |
Updated | 2024-04-04 |
Description
SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to Server Side XSS.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
Problem types
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Product status
3.0.3
References
https://fluidattacks.com/advisories/dezco/
https://github.com/siyuan-note/siyuan/