Can you explain this vulnerability to me?

This vulnerability exists in SiYuan, an open-source personal knowledge management system, in versions 3.6.3 and below. The issue is with the /api/av/removeUnusedAttributeView endpoint, which is protected only by generic authentication that accepts publish-service RoleReader tokens.

The vulnerability allows an authenticated user with a publish-service reader role to delete attribute view files without having proper write privileges. This happens because the endpoint passes a caller-controlled id directly to a model function that deletes the corresponding attribute view file unconditionally, without verifying if the caller has the right permissions or if the attribute view is actually unused.

As a result, an attacker can extract publicly exposed data-av-id values from published content and use them to permanently delete arbitrary attribute view definitions, causing breakage in database views and workspace rendering until the deleted views are manually restored.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have a significant impact by allowing an authenticated user with limited read permissions to delete important attribute view files in the SiYuan workspace.

• Permanent deletion of arbitrary attribute view definitions.
• Breakage of database views.
• Disruption of workspace rendering and functionality.
• Manual restoration is required to recover from the damage.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade SiYuan to version 3.6.4 or later, where the issue has been fixed.

Until the upgrade is applied, restrict access to the /api/av/removeUnusedAttributeView endpoint to trusted users only, especially preventing publish-service RoleReader tokens from accessing it.

Useful 0 Not Useful 0