CVE-2024-2692: SiYuan 3.0.3 - RCE via Server Side XSS

9.0 CVSS

Description

SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to Server Side XSS.

Classification

CVE ID: CVE-2024-2692

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected Products

Vendor: SiYuan

Product: SiYuan

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.22% (probability of being exploited)

EPSS Percentile: 44.67% (scored less or equal to compared to others)

EPSS Date: 2025-06-06 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-2692
https://fluidattacks.com/advisories/dezco/
https://github.com/siyuan-note/siyuan/

Timeline