漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
SiYuan: Direct SQL Query API accessible to Reader-level users enables unauthorized database access
Vulnerability Description
SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0.
CVSS Information
N/A
Vulnerability Type
授权机制缺失
Vulnerability Title
SiYuan 安全漏洞
Vulnerability Description
SiYuan是SiYuan开源的一个隐私至上的个人知识管理系统。 SiYuan 3.6.0之前版本存在安全漏洞,该漏洞源于/api/query/sql接口仅检查基本身份验证,可能导致任意SQL查询执行。
CVSS Information
N/A
Vulnerability Type
N/A