MidnightBSD

Advisories for yardoc

CVE-2017-17042 MEDIUM

lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
yardoc yard *
CVE-2019-1020001 MEDIUM

yard before 0.9.20 allows path traversal.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
yardoc yard *
CVE-2024-27285

YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.36.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 38
yardoc yard *