6.1

CVE-2024-27285

Exploit

YARD's default template vulnerable to Cross-site Scripting in generated frames.html

YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file.  This vulnerability is fixed in 0.9.36.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
YardocYard Version < 0.9.36
FedoraprojectFedora Version38
DebianDebian Linux Version10.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.06% 0.601
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com 5.4 2.8 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://lists.debian.org/debian-lts-announce/2024/03/msg00006.html
Mailing List
https://github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa
Patch
https://github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be
Patch
https://github.com/lsegal/yard/pull/1538
Patch
Issue Tracking
https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc
Vendor Advisory
Exploit
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2024-27285.yml
Third Party Advisory
Exploit
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MR3Z2E2UIZZ7YOR7R645EVSBGWMB2RGA/
Mailing List