Skip to content

Arbitrary file read via /api/template/render

High
88250 published GHSA-xx68-37v4-4596 Dec 11, 2024

Package

gomod https://github.com/siyuan-note/siyuan (Go)

Affected versions

v3.1.15

Patched versions

v3.1.16

Description

Summary

An arbitrary file read vulnerability exists in Siyuan's /api/template/render endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system.

Impact

Arbitrary file read on the host

Severity

High

CVE ID

CVE-2024-55657

Weaknesses

No CWEs

Credits