CVE-2024-27285 MEDIUM

CVE-2024-27285: YARD's default template vulnerable to Cross-site Scripting in generated frames.html

Vendor Lsegal

Product yard

Weakness CWE-79 · XSS

Published February 28, 2024

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.36.

Key dates

02Disclosure timeline

February 28, 2024 CVE published

February 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-27285

Related vulnerabilities

04Related CVE

CVE-2025-22546 WordPress jQuery TwentyTwenty plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability CVE-2022-45365 WordPress Stock Ticker Plugin <= 3.23.2 is vulnerable to Cross Site Scripting (XSS) CVE-2023-29304 Adobe Experience Manager | Cross-site Scripting (Reflected XSS) (CWE-79) CVE-2025-26626 GLPI Inventory Plugin vulnerable to reflective Cross-site Scripting CVE-2025-22583 WordPress Scan External Links Plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability