1. Home
  2. CVE Database
  3. CVE-2022-31094
HIGH · 7.1

CVE-2022-31094

ScratchTools is a web extension designed to make interacting with the Scratch programming language community (Scratching) easier. In affected versions anybody who uses the Recently Viewed Projects fea...

Vulnerability Description

ScratchTools is a web extension designed to make interacting with the Scratch programming language community (Scratching) easier. In affected versions anybody who uses the Recently Viewed Projects feature is vulnerable to having their account taken over if they view a project that tries to. The issue is that if a user visits a project that includes Javascript in the title, then when the Recently Viewed Projects feature displays it, it could run the Javascript. This issue has been addressed in the 2.5.2 release. Users having issues scratching should open an issue in the project issue tracker https://github.com/STForScratch/ScratchTools/

CVSS Score

7.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW

Affected Products

VendorProductVersions
ScratchstatusScratchtools>= 2.4.0, < 2.5.2

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2022-31094?

CVE-2022-31094 is a vulnerability with a CVSS score of 7.1 (HIGH). ScratchTools is a web extension designed to make interacting with the Scratch programming language community (Scratching) easier. In affected versions anybody who uses the Recently Viewed Projects fea...

How severe is CVE-2022-31094?

CVE-2022-31094 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-31094?

Check the references section above for vendor advisories and patch information. Affected products include: Scratchstatus Scratchtools.