Skip to content

Arbitrary file read and path traversal via /api/export/exportResources

High
88250 published GHSA-25w9-wqfq-gwqx Dec 11, 2024

Package

gomod https://github.com/siyuan-note/siyuan (Go)

Affected versions

v3.1.15

Patched versions

v3.1.16

Description

Summary

Siyuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure.

Impact

Arbitrary File Read

Severity

High

CVE ID

CVE-2024-55658

Weaknesses

No CWEs

Credits