Moderate severityNVD Advisory· Published Feb 28, 2024· Updated Feb 13, 2025
YARD's default template vulnerable to Cross-site Scripting in generated frames.html
CVE-2024-27285
Description
YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.36.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yardRubyGems | < 0.9.36 | 0.9.36 |
Affected products
1Patches
21fcb2d8b316cMerge pull request #1538 from RedYetiDev/patch-2
1 file changed · +9 −4
templates/default/fulldoc/html/frames.erb+9 −4 modified@@ -5,10 +5,15 @@ <title><%= options.title %></title> </head> <script type="text/javascript"> - var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/); - var name = match ? match[1] : '<%= url_for_main %>'; - name = name.replace(/^((\w*):)?[\/\\]*/gm, '').trim(); - window.top.location.replace(name) +var mainUrl = '<%= url_for_main %>'; +try { + var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/); + var name = match ? match[1] : mainUrl; + var url = new URL(name, location.href); + window.top.location.replace(url.origin === location.origin ? name : mainUrl); +} catch (e) { + window.top.location.replace(mainUrl); +} </script> <noscript> <h1>Oops!</h1>
2069e2bf0829Merge pull request from GHSA-8mq4-9jjh-9xrc
1 file changed · +3 −3
templates/default/fulldoc/html/frames.erb+3 −3 modified@@ -5,10 +5,10 @@ <title><%= options.title %></title> </head> <script type="text/javascript"> - var match = unescape(window.location.hash).match(/^#!(.+)/); + var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/); var name = match ? match[1] : '<%= url_for_main %>'; - name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, ''); - window.top.location = name; + name = name.replace(/^((\w*):)?[\/\\]*/gm, '').trim(); + window.top.location.replace(name) </script> <noscript> <h1>Oops!</h1>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-8mq4-9jjh-9xrcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-27285ghsaADVISORY
- github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aaghsax_refsource_MISCWEB
- github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054beghsax_refsource_MISCWEB
- github.com/lsegal/yard/pull/1538ghsax_refsource_MISCWEB
- github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrcghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2024-27285.ymlghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2024/03/msg00006.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MR3Z2E2UIZZ7YOR7R645EVSBGWMB2RGAghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MR3Z2E2UIZZ7YOR7R645EVSBGWMB2RGA/mitre
News mentions
0No linked articles in our index yet.