Lucene search

Veracode Vulnerability DatabaseVERACODE:45690

HistoryFeb 29, 2024 - 5:45 a.m.

Cross-Site Scripting(XSS)

2024-02-2905:45:38

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

yard

cross-site scripting

frames.erb

javascript

vulnerability

6.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.9%

JSON

YARD is vulnerable to Cross-site Scripting (XSS). The vulnerability is due to improper sanitization of user input within the frames.erb template file, allowing an attacker to inject arbitrary JavaScript into the page.

CPENameOperatorVersion
yardle0.9.34
yard:sideq0.9.24-1
yard:bookwormeq0.9.24-1
yardle0.9.34
yard:sideq0.9.24-1
yard:bookwormeq0.9.24-1

Name	Operator	Version
yard	le	0.9.34
yard:sid	eq	0.9.24-1
yard:bookworm	eq	0.9.24-1
yard	le	0.9.34
yard:sid	eq	0.9.24-1
yard:bookworm	eq	0.9.24-1

References

github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa

github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be

github.com/lsegal/yard/pull/1538

github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc

github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2024-27285.yml

lists.debian.org/debian-lts-announce/2024/03/msg00006.html

lists.fedoraproject.org/archives/list/[email protected]/message/MR3Z2E2UIZZ7YOR7R645EVSBGWMB2RGA/