Medium severity6.7NVD Advisory· Published Aug 25, 2025· Updated Apr 15, 2026

CVE-2025-55301

Description

The Scratch Channel is a news website. In version 1, it is possible to go to application in devtools and click local storage to edit the account's username locally. This issue has been patched in version 1.1.

Affected products

The Scratch Channel/Tsc Web Clientreferences

Patches

0b0383e217a7

Update createArticles.jsx

https://github.com/the-scratch-channel/tsc-web-clientkRxZykRxZyAug 23, 2025via osv

commit

1 file changed · +11 −2

src/pages/createArticles.jsx+11 −2 modified

@@ -18,7 +18,10 @@ export default function CreateArticle() {
   const categories = ["TSC Announcements", "TSC Update Log", "Scratch News"];
   const [category, setCategory] = useState(categories[0]);
 
-  const editor = useEditor({ extensions: [StarterKit, Bold, Italic, Underline, Link, Image], content: "" });
+  const editor = useEditor({
+    extensions: [StarterKit, Bold, Italic, Underline, Link, Image],
+    content: "",
+  });
 
   useEffect(() => {
     const token = localStorage.getItem("scratchToken");
@@ -76,30 +79,36 @@ ${content}
     <div className="container mt-4">
       <div className="card shadow p-4">
         <h1 className="mb-4">✍️ Create Article</h1>
+
         <div className="mb-3">
           <label className="form-label">Title</label>
           <input className="form-control" type="text" value={title} onChange={e => setTitle(e.target.value)} placeholder="Enter your article title..." />
         </div>
+
         <div className="mb-3">
           <label className="form-label">Author</label>
           <input className="form-control" type="text" value={scratchUser} readOnly disabled />
         </div>
+
         <div className="mb-3">
           <label className="form-label">Date</label>
           <input className="form-control" type="date" value={date} readOnly disabled />
         </div>
+
         <div className="mb-3">
           <label className="form-label">Category</label>
           <select className="form-select" value={category} onChange={e => setCategory(e.target.value)}>
             {categories.map(cat => <option key={cat} value={cat}>{cat}</option>)}
           </select>
         </div>
+
         <div className="mb-3">
           <label className="form-label">Content</label>
-          <div className="border rounded p-3" style={{ minHeight: "250px", background: "#fff" }}>
+          <div className="editor-container">
             <EditorContent editor={editor} />
           </div>
         </div>
+
         <div className="d-flex gap-3 mt-3">
           <button className="btn btn-primary" onClick={handleSubmit}>Submit</button>
           <button className="btn btn-secondary" onClick={() => navigate("/")}>Cancel</button>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.436
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000