Yardoc Yard vulnerabilities

CVE-2024-27285 [MEDIUM] CWE-79 CVE-2024-27285: YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentat YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.36.

CVE-2019-1020001 [HIGH] CWE-22 Path Traversal vulnerability that affects yard Path Traversal vulnerability that affects yard ## Possible arbitrary path traversal and file access via `yard server` ### Impact A path traversal vulnerability was discovered in YARD <= 0.9.19 when using `yard server` to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. Thanks to CuongMX from Viettel Cyber Sec

CVE-2017-17042 [HIGH] CWE-22 CVE-2017-17042: lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.