Lucene search

K

[email protected]NVD:CVE-2024-27285

HistoryFeb 28, 2024 - 8:15 p.m.

CVE-2024-27285

2024-02-2820:15:41

CWE-79

[email protected]

web.nvd.nist.gov

yard

ruby

documentation

xss

frames.html

cross-site scripting

vulnerability

frames.erb

template file

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

10.4%

YARD is a Ruby Documentation tool. The “frames.html” file within the Yard Doc’s generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the “frames.erb” template file. This vulnerability is fixed in 0.9.36.

References

github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa

github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be

github.com/lsegal/yard/pull/1538

github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc

github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2024-27285.yml

lists.debian.org/debian-lts-announce/2024/03/msg00006.html

lists.fedoraproject.org/archives/list/[email protected]/message/MR3Z2E2UIZZ7YOR7R645EVSBGWMB2RGA/

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

10.4%

Related for NVD:CVE-2024-27285

osv5 debian2 nessus4 openvas4 github1 debiancve1 veracode1 prion1 ubuntucve1 redhatcve1 cve1 cvelist1 fedora1 ubuntu1 rapid7blog1