Headline

GHSA-4pjc-pwgq-q9jp: SiYuan has an SSTI via /api/template/renderSprig

Summary

Siyuan’s /api/template/renderSprig endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables

Impact

Information leakage

30 days ago

ghsa

Open in Source

#git

GitHub Advisory Database
GitHub Reviewed
CVE-2024-55660

SiYuan has an SSTI via /api/template/renderSprig

Moderate severity GitHub Reviewed Published Dec 11, 2024 in siyuan-note/siyuan • Updated Dec 11, 2024

Package

gomod github.com/siyuan-note/siyuan/kernel (Go)

Affected versions

<= 0.0.0-20241210012039-5129ad926a21

Summary

Impact

Information leakage

References

GHSA-4pjc-pwgq-q9jp
siyuan-note/siyuan@e70ed57

Published to the GitHub Advisory Database

Dec 11, 2024

Last updated

Dec 11, 2024

ghsa: Latest News

GHSA-x7m9-mv49-fv73: Vaultwarden vulnerable to user impersonation

1 day ago

ghsa

GHSA-vprm-27pv-jp3w: Vaultwarden authenticated reflected cross-site scripting (XSS) vulnerability

1 day ago

ghsa

GHSA-g5x8-v2ch-gj2g: Vaultwarden HTML injection vulnerability

1 day ago

ghsa

GHSA-5xh2-23cc-5jc6: Strawberry GraphQL has type resolution vulnerability in node interface that allows potential data leakage through incorrect type resolution

1 day ago

ghsa

GHSA-675f-rq2r-jw82: JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh

1 day ago

ghsa