Unrated severityNVD Advisory· Published Nov 23, 2020· Updated Aug 4, 2024

Cross-Site Scripting in Scratch browser addons

CVE-2020-26239

Description

Scratch Addons is a WebExtension that supports both Chrome and Firefox. Scratch Addons before version 1.3.2 is vulnerable to DOM-based XSS. If the victim visited a specific website, the More Links addon of the Scratch Addons extension used incorrect regular expression which caused the HTML-escaped values to be unescaped, leading to XSS. Scratch Addons version 1.3.2 fixes the bug. The extension will be automatically updated by the browser. More Links addon can be disabled via the option of the extension.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

ScratchAddons/ScratchAddonsllm-create2 versions
<1.3.2+ 1 more
- (no CPE)range: <1.3.2
- (no CPE)range: < 1.3.2

Patches

Vulnerability mechanics

References

github.com/ScratchAddons/ScratchAddons/blob/a471893df403f86c9182970678175d4772a0690c/addons/more-links/userscript.jsmitrex_refsource_MISC
github.com/ScratchAddons/ScratchAddons/commit/b9a52d6532c8514254c7cc1d8e18710dbedc41ffmitrex_refsource_MISC
github.com/ScratchAddons/ScratchAddons/releases/tag/v1.3.2mitrex_refsource_MISC
github.com/ScratchAddons/ScratchAddons/security/advisories/GHSA-6qfq-px3r-xj4pmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000