Headline
GHSA-xx68-37v4-4596: SiYuan has an arbitrary file read via /api/template/render
Summary
An arbitrary file read vulnerability exists in Siyuan’s /api/template/render endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system.
Impact
Arbitrary file read on the host
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-55657
SiYuan has an arbitrary file read via /api/template/render
High severity GitHub Reviewed Published Dec 11, 2024 in siyuan-note/siyuan • Updated Dec 11, 2024
Package
gomod github.com/siyuan-note/siyuan/kernel (Go)
Affected versions
<= 0.0.0-20241210012039-5129ad926a21
Summary
An arbitrary file read vulnerability exists in Siyuan’s /api/template/render endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system.
Impact
Arbitrary file read on the host
References
- GHSA-xx68-37v4-4596
- siyuan-note/siyuan@e70ed57
Published to the GitHub Advisory Database
Dec 11, 2024
Last updated
Dec 11, 2024