CVE-2024-27285

EUVD-2024-0579
YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file.  This vulnerability is fixed in 0.9.36.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
GitHub_MCNA
5.4 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
Affected Products (NVD)
VendorProductVersion
yardocyard
𝑥
< 0.9.36
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
yard
bookworm
0.9.28-2+deb12u2
fixed
bookworm (security)
0.9.28-2+deb12u2
fixed
bullseye
0.9.24-1+deb11u1
fixed
bullseye (security)
0.9.24-1+deb11u1
fixed
forky
0.9.37-1
fixed
sid
0.9.37-1
fixed
trixie
0.9.37-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
yard
bionic
Fixed 0.9.12-2ubuntu0.1~esm1
released
focal
Fixed 0.9.24-1+deb11u1build0.20.04.1
released
jammy
Fixed 0.9.26-1ubuntu0.1
released
mantic
Fixed 0.9.28-2ubuntu0.1
released
noble
not-affected
trusty
ignored
xenial
Fixed 0.8.7.6+git20160220-3ubuntu0.1~esm1
released
Common Weakness Enumeration
References
https://github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa
https://github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be
https://github.com/lsegal/yard/pull/1538
https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2024-27285.yml
https://lists.debian.org/debian-lts-announce/2024/03/msg00006.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MR3Z2E2UIZZ7YOR7R645EVSBGWMB2RGA/
https://github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa
https://github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be
https://github.com/lsegal/yard/pull/1538
https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2024-27285.yml
https://lists.debian.org/debian-lts-announce/2024/03/msg00006.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MR3Z2E2UIZZ7YOR7R645EVSBGWMB2RGA/