Advisories for Gem/Yard package

2024
2019
2017

Directory traversal

lib/yard/core_ext/file.rb does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.

2013

Cross-site Scripting

This package is vulnerable to Cross-site Scripting (XSS). Strings parsed from the anchor in the address bar were not sanitized, allowing for arbitrary HTML to be embedded into the page.