5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
0.0004 Low
EPSS
Percentile
10.4%
The “frames.html” file within the Yard Doc’s generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the “frames.erb” template file.
The vulnerability stems from mishandling user-controlled data retrieved from the URL hash in the embedded JavaScript code within the “frames.erb” template file. Specifically, the script lacks proper sanitization of the hash data before utilizing it to establish the top-level window’s location. This oversight permits an attacker to inject malicious JavaScript payloads through carefully crafted URLs.
Snippet from “frames.erb”:
(v0.9.34)
<script type="text/javascript">
var match = unescape(window.location.hash).match(/^#!(.+)/);
var name = match ? match[1] : '<%= url_for_main %>';
name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
window.top.location = name;
</script>
(v0.9.35)
<script type="text/javascript">
var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);
var name = match ? match[1] : '<%= url_for_main %>';
name = name.replace(/^((\w*):)?[\/\\]*/gm, '').trim();
window.top.location.replace(name)
</script>
To exploit this vulnerability:
#!javascript:xss
for v0.9.34, and #:javascript:xss
for v0.9.35This XSS vulnerability presents a substantial threat by enabling an attacker to execute arbitrary JavaScript code within the user’s session context. Potential ramifications include session hijacking, theft of sensitive data, unauthorized access to user accounts, and defacement of websites. Any user visiting the compromised page is susceptible to exploitation. It is critical to promptly address this vulnerability to mitigate potential harm to users and preserve the application’s integrity.
github.com/advisories/GHSA-8mq4-9jjh-9xrc
github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa
github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be
github.com/lsegal/yard/pull/1538
github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc
github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2024-27285.yml
lists.debian.org/debian-lts-announce/2024/03/msg00006.html
lists.fedoraproject.org/archives/list/[email protected]/message/MR3Z2E2UIZZ7YOR7R645EVSBGWMB2RGA
nvd.nist.gov/vuln/detail/CVE-2024-27285