CVE-2024-27285

YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file.  This vulnerability is fixed in 0.9.36.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
GitHub_MCNA
5.4 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 81%
VendorProductVersion
yardocyard
𝑥
< 0.9.36
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
yard
bullseye (security)
0.9.24-1+deb11u1
fixed
bullseye
0.9.24-1+deb11u1
fixed
bookworm
0.9.28-2+deb12u2
fixed
bookworm (security)
0.9.28-2+deb12u2
fixed
sid
0.9.37-1
fixed
trixie
0.9.37-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
yard
noble
not-affected
mantic
Fixed 0.9.28-2ubuntu0.1
released
jammy
Fixed 0.9.26-1ubuntu0.1
released
focal
Fixed 0.9.24-1+deb11u1build0.20.04.1
released
bionic
Fixed 0.9.12-2ubuntu0.1~esm1
released
xenial
Fixed 0.8.7.6+git20160220-3ubuntu0.1~esm1
released
trusty
ignored