Jaroslaw-Wawiorko

**Name of the Vulnerable Software and Affected Versions** FacturaScripts versions 2025.71 and earlier **Description** FacturaScripts software contains a Stored Cross-Site Scripting (XSS) flaw within the Observations field in the History view. The application fails to properly encode HTML entities when rendering historical data. This allows an attacker to inject and execute arbitrary JavaScript code in the browser of administrators viewing the history. The flaw can be exploited by logging in as a regular user, creating or editing a Delivery Note, inserting malicious JavaScript into the Observations field, and then having an administrator view the History tab for that note. Successful exploitation can lead to full account takeover, allowing an attacker to gain complete control of the system, including access to sensitive financial data and user configurations. The attack requires some knowledge of the application's internal API structure, which can be obtained through browser developer tools. **Recommendations** Versions prior to 2025.71 should be updated.

**Name of the Vulnerable Software and Affected Versions** Group-Office versions 6.8.148 and below Group-Office versions 25.0.1 through 25.0.79 **Description** Group-Office, an enterprise customer relationship management and groupware tool, stores unsanitized filenames in the database. This can lead to Stored Cross-Site Scripting (XSS) when users interact with these crafted filenames within the application. The impact is limited to the file-viewing context, potentially allowing interference with user sessions or unintended actions in the browser. **Recommendations** Update Group-Office to version 6.8.149 or later. Update Group-Office to version 25.0.80 or later.

**Name of the Vulnerable Software and Affected Versions** SiYuan versions prior to 3.5.4 **Description** SiYuan is a personal knowledge management system susceptible to reflected cross-site scripting. The issue occurs in the `/api/icon/getDynamicIcon` API endpoint. The endpoint generates SVG images for text icons (type=8), and the `content` parameter is directly inserted into the SVG `<text>` tag without proper XML escaping. Because the response Content-Type is set to `image/svg+xml`, injecting unescaped tags can disrupt the XML structure and allow for JavaScript execution. **Recommendations** Update to version 3.5.4 or later.

**Name of the Vulnerable Software and Affected Versions** SiYuan versions prior to 3.5.4 **Description** SiYuan is a personal knowledge management system with a logic issue in the `/api/file/globalCopyFiles` API endpoint. The issue allows authenticated users to copy files from any location on the server’s filesystem into the application’s workspace due to a lack of proper path validation. The vulnerable function, `globalCopyFiles`, accepts a list of source paths (`srcs`) from the JSON request body. While the code verifies file existence using `filelock.IsExist(src)`, it does not confirm if the source path is within the authorized workspace directory. The vulnerability resides in the api/file.go source code. **Recommendations** Update SiYuan to version 3.5.4 or later.

**Name of the Vulnerable Software and Affected Versions** SiYuan versions prior to 3.5.4-dev2 **Description** SiYuan Note does not properly sanitize uploaded SVG files. This allows a user to upload a malicious SVG file, such as one obtained from an untrusted source, which can then execute arbitrary JavaScript code within the user's authenticated session when viewed. The application permits authenticated users to upload files, including .svg images, without removing potentially harmful JavaScript code embedded within them. The vulnerability is triggered when a user exports the malicious SVG file, causing the embedded JavaScript to execute in their browser. **Recommendations** Update SiYuan to version 3.5.4-dev2 or later.