CVE-2024-55659: 
Homebrew vulnerability analysis and mitigation

SiYuan, a personal knowledge management system, was found to contain a critical vulnerability (CVE-2024-55659) in versions prior to 3.1.16. The vulnerability was discovered in the /api/asset/upload endpoint, which was susceptible to both arbitrary file write to the host and stored cross-site scripting (XSS) attacks via the file write functionality. The issue was disclosed on December 11, 2024, and has been patched in version 3.1.16 (GitHub Advisory).

The vulnerability affects the /api/asset/upload endpoint in SiYuan's system. The issue was assigned a CVSS v4.0 Base Score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified under two CWE categories: CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

The vulnerability allows attackers to perform arbitrary file writes to the host system and execute stored cross-site scripting attacks through the file write functionality. This combination of vulnerabilities could potentially lead to system compromise and unauthorized access to sensitive information (GitHub Advisory).

The vulnerability has been patched in SiYuan version 3.1.16. Users are strongly advised to upgrade to this version or later to protect against these security issues. The fix includes improved path validation and input sanitization (GitHub Commit).