@@ -31,22 +31,34 @@ advisory:
3131 JavaScript payloads through carefully crafted URLs.
3232
3333 Snippet from "frames.erb":
34+ (v0.9.34)
3435 ```erb
3536 <script type="text/javascript">
3637 var match = unescape(window.location.hash).match(/^#!(.+)/);
37- var name = match ? match[1] : '<= url_for_main >';
38+ var name = match ? match[1] : '<% = url_for_main % >';
3839 name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
3940 window.top.location = name;
4041 </script>
4142 ```
4243
44+ (v0.9.35)
45+ ```erb
46+ <script type="text/javascript">
47+ var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);
48+ var name = match ? match[1] : '<%= url_for_main % >';
49+ name = name.replace(/^((\w*):)?[\/\\]*/gm, '').trim();
50+ window.top.location.replace(name)
51+ </script>
52+ ```
53+
4354 ### PoC (Proof of Concept)
4455
4556 To exploit this vulnerability:
4657 1. Gain access to the generated Yard Doc.
4758 2. Locate and access the "frames.html" file.
4859 3. Construct a URL containing the malicious payload in the hash
49- segment, for instance: `#!javascript:xss`
60+ segment, for instance: `#!javascript:xss` for v0.9.34, and
61+ `#:javascript:xss` for v0.9.35
5062
5163 ### Impact
5264
@@ -60,12 +72,14 @@ advisory:
6072 the application's integrity.
6173cvss_v3 : 5.4
6274 patched_versions :
63- - " >= 0.9.35 "
75+ - " >= 0.9.36 "
6476 related :
6577 url :
66- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27285
67- - https://github.com/lsegal/yard/releases/tag/v0.9.35
6878 - https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc
6979 - https://github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be
80+ - https://nvd.nist.gov/vuln/detail/CVE-2024-27285
7081 - https://github.com/advisories/GHSA-8mq4-9jjh-9xrc
82+ - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2024-27285.yml
83+ - https://github.com/lsegal/yard/pull/1538
84+ - https://github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa
7185---
0 commit comments