SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view the content of all documents. Version 3.6.2 patches the issue.
The attacker first sends a request to the /api/file/readDir API endpoint, which returns identifiers of documents stored in the application. Next, using the obtained identifiers, the attacker calls the /api/block/getChildBlocks endpoint, which allows reading the contents of all documents. Both endpoints are accessible without authentication from the network (AV:N, PR:N, UI:N), which classifies the vulnerability as CWE-125 (out-of-bounds read / unauthorized data read).
An unauthorized attacker can gain full access to the contents of all documents stored in the SiYuan system, resulting in a breach of user data confidentiality and integrity.
SiYuan must be updated to version 3.6.2 or later, which contains a patch eliminating the described vulnerability. Details are available in the vendor's security advisory on GitHub.
B3Log SiYuan in versions prior to 3.6.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HB3log Siyuan
APPB3Log< 3.6.2
Related vulnerabilities
B3Log SiYuan: XSS w diagramach Mermaid eskaluje do RCE w Electron
RCE przez stored XSS w kliencie desktopowym B3Log SiYuan
RCE w SiYuan poprzez nadmiernie permisywną politykę CORS
Stored XSS → RCE w B3Log SiYuan via złośliwy URL w Attribute View
Path Traversal w B3Log SiYuan — nieautoryzowane odczytywanie struktury plików