VYPR

Scratchoauth2

by Scratchverifier

CVEs (4)

  • CVE-2021-46251MedFeb 15, 2022
    risk 0.00cvss 6.1epss 0.01

    A reflected cross-site scripting (XSS) in ScratchOAuth2 before commit 1603f04e44ef67dde6ccffe866d2dca16defb293 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

  • CVE-2021-46250CriFeb 15, 2022
    risk 0.00cvss 10.0epss 0.01

    An issue in SOA2Login::commented of ScratchOAuth2 before commit a91879bd58fa83b09283c0708a1864cdf067c64a allows attackers to authenticate as other users on downstream components that rely on ScratchOAuth2.

  • CVE-2021-46249MedFeb 15, 2022
    risk 0.00cvss 6.5epss 0.01

    An authorization bypass exploited by a user-controlled key in SpecificApps REST API in ScratchOAuth2 before commit d856dc704b2504cd3b92cf089fdd366dd40775d6 allows app owners to set flags that indicate whether an app is verified on their own apps.

  • CVE-2021-29437HigApr 13, 2021
    risk 0.00cvss 8.0epss 0.01

    ScratchOAuth2 is an Oauth implementation for Scratch. Any ScratchOAuth2-related data normally accessible and modifiable by a user can be read and modified by a third party. 1. Scratch user visits 3rd party site. 2. 3rd party site asks user for Scratch username. 3. 3rd party site…