CVE-2024-27285

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-27285
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-27285.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-27285
Aliases
Downstream
Published
2024-02-28T19:22:15Z
Modified
2025-10-22T18:41:23.681257Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
YARD's default template vulnerable to Cross-site Scripting in generated frames.html
Details

YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.36.

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/lsegal/yard

Affected ranges

Type
GIT
Repo
https://github.com/lsegal/yard
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e833aac7a01510245dd4ae1d1d18b046c8293c2d

Affected versions

v0.*

v0.2.2
v0.2.3
v0.2.3.1
v0.2.3.2
v0.2.3.3
v0.2.3.4
v0.2.3.5
v0.4.0
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.6.7
v0.6.8
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.8.0
v0.8.1
v0.8.2
v0.8.2.1
v0.8.3
v0.8.4
v0.8.4.1
v0.8.5
v0.8.5.1
v0.8.5.2
v0.8.6
v0.8.6.1
v0.8.6.2
v0.8.7
v0.8.7.1
v0.8.7.2
v0.8.7.3
v0.8.7.4
v0.8.7.5
v0.8.7.6
v0.9.0
v0.9.1
v0.9.10
v0.9.11
v0.9.12
v0.9.13
v0.9.14
v0.9.15
v0.9.16
v0.9.17
v0.9.19
v0.9.2
v0.9.20
v0.9.21
v0.9.22
v0.9.23
v0.9.24
v0.9.25
v0.9.26
v0.9.27
v0.9.28
v0.9.29
v0.9.3
v0.9.30
v0.9.31
v0.9.32
v0.9.33
v0.9.34
v0.9.35
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9