@@ -25,22 +25,34 @@ description: |
2525 JavaScript payloads through carefully crafted URLs.
2626
2727 Snippet from "frames.erb":
28+ (v0.9.34)
2829 ```erb
2930 <script type="text/javascript">
3031 var match = unescape(window.location.hash).match(/^#!(.+)/);
31- var name = match ? match[1] : '<= url_for_main >';
32+ var name = match ? match[1] : '<% = url_for_main % >';
3233 name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
3334 window.top.location = name;
3435 </script>
3536 ```
3637
38+ (v0.9.35)
39+ ```erb
40+ <script type="text/javascript">
41+ var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);
42+ var name = match ? match[1] : '<%= url_for_main % >';
43+ name = name.replace(/^((\w*):)?[\/\\]*/gm, '').trim();
44+ window.top.location.replace(name)
45+ </script>
46+ ```
47+
3748 ### PoC (Proof of Concept)
3849
3950 To exploit this vulnerability:
4051 1. Gain access to the generated Yard Doc.
4152 2. Locate and access the "frames.html" file.
4253 3. Construct a URL containing the malicious payload in the hash
43- segment, for instance: `#!javascript:xss`
54+ segment, for instance: `#!javascript:xss` for v0.9.34, and
55+ `#:javascript:xss` for v0.9.35
4456
4557 ### Impact
4658
@@ -54,11 +66,13 @@ description: |
5466 the application's integrity.
5567cvss_v3 : 5.4
5668patched_versions :
57- - " >= 0.9.35 "
69+ - " >= 0.9.36 "
5870related :
5971 url :
60- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27285
61- - https://github.com/lsegal/yard/releases/tag/v0.9.35
6272 - https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc
6373 - https://github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be
74+ - https://nvd.nist.gov/vuln/detail/CVE-2024-27285
6475 - https://github.com/advisories/GHSA-8mq4-9jjh-9xrc
76+ - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2024-27285.yml
77+ - https://github.com/lsegal/yard/pull/1538
78+ - https://github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa
0 commit comments