CVE-2024-55658

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.1.16

Description SiYuan is a personal knowledge management system. The /api/export/exportResources endpoint is vulnerable to arbitrary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure.

Recommendations For versions prior to 3.1.16, update to version 3.1.16 to resolve the issue. As a temporary workaround, consider restricting access to the /api/export/exportResources endpoint until the update is applied. Avoid using the paths parameter in the affected API endpoint until the issue is resolved.