QwikSec

Security Database

CVE

CWE

Training

CVE-2024-27285

Published: Feb 28, 2024

Modified: Feb 13, 2025

PUBLISHED

CVSS v3.1

5.4

MEDIUM

Description

YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.36.

Vendor	Product	Versions
lsegal	yard	affected `< 0.9.36`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc

x_refsource_CONFIRM

https://github.com/lsegal/yard/pull/1538

x_refsource_MISC

https://github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa

x_refsource_MISC

https://github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be

x_refsource_MISC

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2024-27285.yml

x_refsource_MISC

https://lists.debian.org/debian-lts-announce/2024/03/msg00006.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/MR3Z2E2UIZZ7YOR7R645EVSBGWMB2RGA/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.