CVE-2020-26239
Last modified
CVE-2020-26239 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. Scratch Addons is a WebExtension that supports both Chrome and Firefox. Scratch Addons before version 1.3.2 is vulnerable to DOM-based XSS. EPSS estimates a 1.02% chance of exploitation in the next 30 days.
Description
Scratch Addons is a WebExtension that supports both Chrome and Firefox. Scratch Addons before version 1.3.2 is vulnerable to DOM-based XSS. If the victim visited a specific website, the More Links addon of the Scratch Addons extension used incorrect regular expression which caused the HTML-escaped values to be unescaped, leading to XSS. Scratch Addons version 1.3.2 fixes the bug. The extension will be automatically updated by the browser. More Links addon can be disabled via the option of the extension.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Scratchaddons | Scratch Addons | < 1.3.2 |
References
- https://github.com/ScratchAddons/ScratchAddons/commit/b9a52d6532c8514254c7cc1d8e18710dbedc41ffPatch, Third Party Advisory
- https://github.com/ScratchAddons/ScratchAddons/releases/tag/v1.3.2Release Notes, Third Party Advisory
- https://github.com/ScratchAddons/ScratchAddons/security/advisories/GHSA-6qfq-px3r-xj4pPatch, Third Party Advisory
- https://github.com/ScratchAddons/ScratchAddons/commit/b9a52d6532c8514254c7cc1d8e18710dbedc41ffPatch, Third Party Advisory
- https://github.com/ScratchAddons/ScratchAddons/releases/tag/v1.3.2Release Notes, Third Party Advisory
- https://github.com/ScratchAddons/ScratchAddons/security/advisories/GHSA-6qfq-px3r-xj4pPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-26239?
How severe is CVE-2020-26239?
How do I fix CVE-2020-26239?
Are you affected by CVE-2020-26239?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST