CVE-2020-26239 — HIGH (7.6)

Q: How severe is CVE-2020-26239?

CVE-2020-26239 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-26239?

Check the references section above for vendor advisories and patch information. Affected products include: Scratchaddons Scratch Addons.

Vulnerability Description

Scratch Addons is a WebExtension that supports both Chrome and Firefox. Scratch Addons before version 1.3.2 is vulnerable to DOM-based XSS. If the victim visited a specific website, the More Links addon of the Scratch Addons extension used incorrect regular expression which caused the HTML-escaped values to be unescaped, leading to XSS. Scratch Addons version 1.3.2 fixes the bug. The extension will be automatically updated by the browser. More Links addon can be disabled via the option of the extension.

CVSS Score

7.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Scratchaddons	Scratch Addons	< 1.3.2

Related Weaknesses (CWE)

CWE-79

References

https://github.com/ScratchAddons/ScratchAddons/blob/a471893df403f86c918297067817Third Party Advisory
https://github.com/ScratchAddons/ScratchAddons/commit/b9a52d6532c8514254c7cc1d8ePatchThird Party Advisory
https://github.com/ScratchAddons/ScratchAddons/releases/tag/v1.3.2Release NotesThird Party Advisory
https://github.com/ScratchAddons/ScratchAddons/security/advisories/GHSA-6qfq-px3PatchThird Party Advisory
https://github.com/ScratchAddons/ScratchAddons/blob/a471893df403f86c918297067817Third Party Advisory
https://github.com/ScratchAddons/ScratchAddons/commit/b9a52d6532c8514254c7cc1d8ePatchThird Party Advisory
https://github.com/ScratchAddons/ScratchAddons/releases/tag/v1.3.2Release NotesThird Party Advisory
https://github.com/ScratchAddons/ScratchAddons/security/advisories/GHSA-6qfq-px3PatchThird Party Advisory

FAQ

What is CVE-2020-26239?

CVE-2020-26239 is a vulnerability with a CVSS score of 7.6 (HIGH). Scratch Addons is a WebExtension that supports both Chrome and Firefox. Scratch Addons before version 1.3.2 is vulnerable to DOM-based XSS. If the victim visited a specific website, the More Links add...

How severe is CVE-2020-26239?

CVE-2020-26239 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-26239?

Check the references section above for vendor advisories and patch information. Affected products include: Scratchaddons Scratch Addons.