Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-xx68-37v4-4596: SiYuan has an arbitrary file read via /api/template/render

Summary

An arbitrary file read vulnerability exists in Siyuan’s /api/template/render endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system.

Impact

Arbitrary file read on the host

ghsa
#vulnerability#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-55657

SiYuan has an arbitrary file read via /api/template/render

High severity GitHub Reviewed Published Dec 11, 2024 in siyuan-note/siyuan • Updated Dec 11, 2024

Package

gomod github.com/siyuan-note/siyuan/kernel (Go)

Affected versions

<= 0.0.0-20241210012039-5129ad926a21

Summary

An arbitrary file read vulnerability exists in Siyuan’s /api/template/render endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system.

Impact

Arbitrary file read on the host

References

  • GHSA-xx68-37v4-4596
  • siyuan-note/siyuan@e70ed57

Published to the GitHub Advisory Database

Dec 11, 2024

Last updated

Dec 11, 2024

ghsa: Latest News

GHSA-v778-237x-gjrc: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto