漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata
Vulnerability Description
SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when any user browses the Bazaar page. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution on the victim's operating system — with zero user interaction beyond opening the marketplace tab. This issue has been fixed in version 3.6.1.
CVSS Information
N/A
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
SiYuan 安全漏洞
Vulnerability Description
SiYuan是SiYuan开源的一个隐私至上的个人知识管理系统。 SiYuan 3.6.0及之前版本存在安全漏洞,该漏洞源于package元数据字段未进行HTML转义,可能导致跨站脚本攻击和远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A