QwikSec

Security Database

CVE

CWE

Training

CVE-2020-26239

Published: Nov 23, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

7.6

HIGH

Description

Scratch Addons is a WebExtension that supports both Chrome and Firefox. Scratch Addons before version 1.3.2 is vulnerable to DOM-based XSS. If the victim visited a specific website, the More Links addon of the Scratch Addons extension used incorrect regular expression which caused the HTML-escaped values to be unescaped, leading to XSS. Scratch Addons version 1.3.2 fixes the bug. The extension will be automatically updated by the browser. More Links addon can be disabled via the option of the extension.

Vendor	Product	Versions
ScratchAddons	ScratchAddons	affected `< 1.3.2`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

None

References

https://github.com/ScratchAddons/ScratchAddons/security/advisories/GHSA-6qfq-px3r-xj4p

x_refsource_CONFIRM

https://github.com/ScratchAddons/ScratchAddons/commit/b9a52d6532c8514254c7cc1d8e18710dbedc41ff

x_refsource_MISC

https://github.com/ScratchAddons/ScratchAddons/blob/a471893df403f86c9182970678175d4772a0690c/addons/more-links/userscript.js#L15

x_refsource_MISC

https://github.com/ScratchAddons/ScratchAddons/releases/tag/v1.3.2

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.