Lucene search

K
cvelistGitHub_MCVELIST:CVE-2024-27285
HistoryFeb 28, 2024 - 7:22 p.m.

CVE-2024-27285 YARD's default template vulnerable to Cross-site Scripting in generated frames.html

2024-02-2819:22:15
CWE-79
GitHub_M
www.cve.org
1
yard
xss
cross-site scripting
vulnerability
javascript
0.9.36
cross-site scripting
frames.erb template

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

10.3%

YARD is a Ruby Documentation tool. The “frames.html” file within the Yard Doc’s generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the “frames.erb” template file. This vulnerability is fixed in 0.9.36.

CNA Affected

[
  {
    "vendor": "lsegal",
    "product": "yard",
    "versions": [
      {
        "version": "< 0.9.36",
        "status": "affected"
      }
    ]
  }
]

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

10.3%