CVE-2024-27285

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-27285
YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.36.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa
https://github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be
https://github.com/lsegal/yard/pull/1538
https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2024-27285.yml
https://lists.debian.org/debian-lts-announce/2024/03/msg00006.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MR3Z2E2UIZZ7YOR7R645EVSBGWMB2RGA/
https://github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa
https://github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be
https://github.com/lsegal/yard/pull/1538
https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2024-27285.yml
https://lists.debian.org/debian-lts-announce/2024/03/msg00006.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MR3Z2E2UIZZ7YOR7R645EVSBGWMB2RGA/
Configurations

No configuration.

History

21 Nov 2024, 09:04

Type Values Removed Values Added
References () https://github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa - () https://github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa -
References () https://github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be - () https://github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be -
References () https://github.com/lsegal/yard/pull/1538 - () https://github.com/lsegal/yard/pull/1538 -
References () https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc - () https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc -
References () https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2024-27285.yml - () https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2024-27285.yml -
References () https://lists.debian.org/debian-lts-announce/2024/03/msg00006.html - () https://lists.debian.org/debian-lts-announce/2024/03/msg00006.html -
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MR3Z2E2UIZZ7YOR7R645EVSBGWMB2RGA/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MR3Z2E2UIZZ7YOR7R645EVSBGWMB2RGA/ -

21 Mar 2024, 03:15

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MR3Z2E2UIZZ7YOR7R645EVSBGWMB2RGA/ -

06 Mar 2024, 23:15

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2024/03/msg00006.html -

01 Mar 2024, 17:15

Type Values Removed Values Added
References
  • () https://github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa -
  • () https://github.com/lsegal/yard/pull/1538 -
  • () https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2024-27285.yml -
Summary
  • (es) YARD es una herramienta de documentación de Ruby. El archivo "frames.html" dentro de la documentación generada por Yard Doc es vulnerable a ataques de Cross-Site Scripting (XSS) debido a una desinfección inadecuada de la entrada del usuario dentro del segmento JavaScript del archivo de plantilla "frames.erb". Esta vulnerabilidad se solucionó en 0.9.35.
Summary (en) YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.35. (en) YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.36.

28 Feb 2024, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-02-28 20:15

Updated : 2024-11-21 09:04

NVD link : CVE-2024-27285

Mitre link : CVE-2024-27285

CVE.ORG link : CVE-2024-27285

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024