Vulnerability Details : CVE-2020-26239
Scratch Addons is a WebExtension that supports both Chrome and Firefox. Scratch Addons before version 1.3.2 is vulnerable to DOM-based XSS. If the victim visited a specific website, the More Links addon of the Scratch Addons extension used incorrect regular expression which caused the HTML-escaped values to be unescaped, leading to XSS. Scratch Addons version 1.3.2 fixes the bug. The extension will be automatically updated by the browser. More Links addon can be disabled via the option of the extension.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2020-26239
- cpe:2.3:a:scratchaddons:scratch_addons:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-26239
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 30 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-26239
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST | |
7.6
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N |
2.3
|
4.7
|
GitHub, Inc. |
CWE ids for CVE-2020-26239
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: security-advisories@github.com (Primary)
References for CVE-2020-26239
-
https://github.com/ScratchAddons/ScratchAddons/security/advisories/GHSA-6qfq-px3r-xj4p
DOM-based Cross-Site Scripting · Advisory · ScratchAddons/ScratchAddons · GitHubPatch;Third Party Advisory
-
https://github.com/ScratchAddons/ScratchAddons/commit/b9a52d6532c8514254c7cc1d8e18710dbedc41ff
SECURITY: Fix DOM XSS in More Links addon · ScratchAddons/ScratchAddons@b9a52d6 · GitHubPatch;Third Party Advisory
-
https://github.com/ScratchAddons/ScratchAddons/releases/tag/v1.3.2
Release Scratch Addons v1.3.2 · ScratchAddons/ScratchAddons · GitHubRelease Notes;Third Party Advisory
-
https://github.com/ScratchAddons/ScratchAddons/blob/a471893df403f86c9182970678175d4772a0690c/addons/more-links/userscript.js#L15
ScratchAddons/userscript.js at a471893df403f86c9182970678175d4772a0690c · ScratchAddons/ScratchAddons · GitHubThird Party Advisory
Jump to