commit by to_remotes 2024-03-06 08:43:26 +0100 from vmdevac

2024-03-06 08:43:26 +01:00 · 2024-03-06 08:43:26 +01:00 · d268594caf
parent 01d45130ad
commit d268594caf
4 changed files with 4 additions and 16 deletions
--- a/bundle-audit-time.txt
+++ b/bundle-audit-time.txt
@ -1 +1 @@
-2024-03-06T08:42:18+01:00
+2024-03-06T08:43:25+01:00
--- a/bundle-audit.json
+++ b/bundle-audit.json
@ -1 +1 @@
-{"version":"0.9.1","created_at":"2024-03-06 08:42:17 +0100","results":[{"type":"unpatched_gem","gem":{"name":"yard","version":"0.9.35"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/yard/CVE-2024-27285.yml","id":"CVE-2024-27285","url":"https://github.com/advisories/GHSA-8mq4-9jjh-9xrc","title":"YARD's default template vulnerable to Cross-site Scripting in generated frames.html","date":"2024-02-28","description":"\n### Summary\n\nThe \"frames.html\" file within the Yard Doc's generated documentation\nis vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate\nsanitization of user input within the JavaScript segment of the\n\"frames.erb\" template file.\n\n### Details\n\nThe vulnerability stems from mishandling user-controlled data retrieved\nfrom the URL hash in the embedded JavaScript code within the \"frames.erb\"\ntemplate file. Specifically, the script lacks proper sanitization of\nthe hash data before utilizing it to establish the top-level window's\nlocation. This oversight permits an attacker to inject malicious\nJavaScript payloads through carefully crafted URLs.\n\nSnippet from \"frames.erb\":\n(v0.9.34)\n```erb\n<script type=\"text/javascript\">\n  var match = unescape(window.location.hash).match(/^#!(.+)/);\n  var name = match ? match[1] : '<%= url_for_main %>';\n  name = name.replace(/^(\\w+):\\/\\//, '').replace(/^\\/\\//, '');\n  window.top.location = name;\n</script>\n```\n\n(v0.9.35)\n```erb\n<script type=\"text/javascript\">\n  var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);\n  var name = match ? match[1] : '<%= url_for_main %>';\n  name = name.replace(/^((\\w*):)?[\\/\\\\]*/gm, '').trim();\n  window.top.location.replace(name)\n</script>\n```\n\n### PoC (Proof of Concept)\n\nTo exploit this vulnerability:\n1. Gain access to the generated Yard Doc.\n2. Locate and access the \"frames.html\" file.\n3. Construct a URL containing the malicious payload in the hash\n   segment, for instance: `#!javascript:xss` for v0.9.34, and\n   `#:javascript:xss` for v0.9.35\n\n### Impact\n\nThis XSS vulnerability presents a substantial threat by enabling\nan attacker to execute arbitrary JavaScript code within the user's\nsession context. Potential ramifications include session hijacking,\ntheft of sensitive data, unauthorized access to user accounts, and\ndefacement of websites. Any user visiting the compromised page is\nsusceptible to exploitation. It is critical to promptly address\nthis vulnerability to mitigate potential harm to users and preserve\nthe application's integrity.\n","cvss_v2":null,"cvss_v3":5.4,"cve":"2024-27285","osvdb":null,"ghsa":"8mq4-9jjh-9xrc","unaffected_versions":[],"patched_versions":[">= 0.9.36"],"criticality":"medium"}}]}
+{"version":"0.9.1","created_at":"2024-03-06 08:43:25 +0100","results":[]}
--- a/report.txt
+++ b/report.txt
@ -1,10 +1 @@
-Name: yard
+No vulnerabilities found
 Version: 0.9.35
 CVE: CVE-2024-27285
 GHSA: GHSA-8mq4-9jjh-9xrc
 Criticality: Medium
 URL: https://github.com/advisories/GHSA-8mq4-9jjh-9xrc
 Title: YARD's default template vulnerable to Cross-site Scripting in generated frames.html
 Solution: upgrade to '>= 0.9.36'
 Vulnerabilities found!
--- a/update-info.txt
+++ b/update-info.txt
@ -1,8 +1,5 @@
 Updating ruby-advisory-db ...
-Updating d7edb7c..2626a46
+Already up to date.
 Fast-forward
 gems/yard/CVE-2024-27285.yml | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)
 Updated ruby-advisory-db
 ruby-advisory-db:
  advisories:	877 advisories
`@ -1 +1 @@`
	`2024-03-06T08:42:18+01:00`	`2024-03-06T08:43:25+01:00`
		`@ -1 +1 @@`
			{"version":"0.9.1","created_at":"2024-03-06 08:42:17 +0100","results":[{"type":"unpatched_gem","gem":{"name":"yard","version":"0.9.35"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/yard/CVE-2024-27285.yml","id":"CVE-2024-27285","url":"https://github.com/advisories/GHSA-8mq4-9jjh-9xrc","title":"YARD's default template vulnerable to Cross-site Scripting in generated frames.html","date":"2024-02-28","description":"\n### Summary\n\nThe \"frames.html\" file within the Yard Doc's generated documentation\nis vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate\nsanitization of user input within the JavaScript segment of the\n\"frames.erb\" template file.\n\n### Details\n\nThe vulnerability stems from mishandling user-controlled data retrieved\nfrom the URL hash in the embedded JavaScript code within the \"frames.erb\"\ntemplate file. Specifically, the script lacks proper sanitization of\nthe hash data before utilizing it to establish the top-level window's\nlocation. This oversight permits an attacker to inject malicious\nJavaScript payloads through carefully crafted URLs.\n\nSnippet from \"frames.erb\":\n(v0.9.34)\n```erb\n<script type=\"text/javascript\">\n var match = unescape(window.location.hash).match(/^#!(.+)/);\n var name = match ? match[1] : '<%= url_for_main %>';\n name = name.replace(/^(\\w+):\\/\\//, '').replace(/^\\/\\//, '');\n window.top.location = name;\n</script>\n```\n\n(v0.9.35)\n```erb\n<script type=\"text/javascript\">\n var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);\n var name = match ? match[1] : '<%= url_for_main %>';\n name = name.replace(/^((\\w):)?[\\/\\\\]/gm, '').trim();\n window.top.location.replace(name)\n</script>\n```\n\n### PoC (Proof of Concept)\n\nTo exploit this vulnerability:\n1. Gain access to the generated Yard Doc.\n2. Locate and access the \"frames.html\" file.\n3. Construct a URL containing the malicious payload in the hash\n segment, for instance: `#!javascript:xss` for v0.9.34, and\n `#:javascript:xss` for v0.9.35\n\n### Impact\n\nThis XSS vulnerability presents a substantial threat by enabling\nan attacker to execute arbitrary JavaScript code within the user's\nsession context. Potential ramifications include session hijacking,\ntheft of sensitive data, unauthorized access to user accounts, and\ndefacement of websites. Any user visiting the compromised page is\nsusceptible to exploitation. It is critical to promptly address\nthis vulnerability to mitigate potential harm to users and preserve\nthe application's integrity.\n","cvss_v2":null,"cvss_v3":5.4,"cve":"2024-27285","osvdb":null,"ghsa":"8mq4-9jjh-9xrc","unaffected_versions":[],"patched_versions":[">= 0.9.36"],"criticality":"medium"}}]}				`{"version":"0.9.1","created_at":"2024-03-06 08:43:25 +0100","results":[]}`