UNKNOWN Go
SiYuan has an arbitrary file write in the host via /api/asset/upload
GHSA-fqj6-whhx-47p7 · CVE-2024-55659 · GO-2024-3326
Published · Modified
Description
Summary
The /api/asset/upload endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored XSS (via the file write).
Impact
Arbitrary file write
References
- WEB https://github.com/siyuan-note/siyuan/security/advisories/GHSA-fqj6-whhx-47p7
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-55659
- WEB https://github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71
- PACKAGE https://github.com/siyuan-note/siyuan
- WEB https://pkg.go.dev/vuln/GO-2024-3326
Ready to move
Start Securing
Free, no credit card | First findings in minutes