Yardoc: Security Vulnerabilities
YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.36.
CVSS Score
5.4
EPSS Score
0.02
Published
2024-02-28
yard before 0.9.20 allows path traversal.
CVSS Score
7.5
EPSS Score
0.002
Published
2019-07-29
lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.
CVSS Score
7.5
EPSS Score
0.004
Published
2017-11-28