6 matches found
SiYuan 代码问题漏洞
SiYuan is a privacy-oriented personal knowledge management system developed by SiYuan itself. Versions of SiYuan prior to 3.6.4 contained code vulnerabilities. These vulnerabilities stemmed from insecure Mermaid.js configurations and the lack of secondary cleanup steps, which could lead to NTLMv2...
PT-2026-31734
SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, tags with src attributes survive Mermaid's internal DOMPurify and land in SVG blocks. The SVG is injected via innerHTML with no secondary...
GHSA-X3VM-38HW-55WF Possible inject arbitrary `CSS` into the generated graph affecting the container HTML
An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors. The following example shows how an attacker can exfiltrat...
Possible inject arbitrary `CSS` into the generated graph affecting the container HTML
An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors. The following example shows how an attacker can exfiltrat...
CVE-2022-31108 Arbitrary `CSS` injection into the generated graph affecting the container HTML in mermaid.js
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the...
CVE-2022-31108 Arbitrary `CSS` injection into the generated graph affecting the container HTML in mermaid.js
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the...