Login Sign Up

CVE-2020-26239

7.6 HIGH
Cross-Site Scripting

📋 TL;DR

This CVE describes a DOM-based cross-site scripting (XSS) vulnerability in the Scratch Addons browser extension. Attackers could exploit this by tricking victims into visiting malicious websites, allowing script execution in the context of the extension. Users of Scratch Addons versions before 1.3.2 are affected.

💻 Affected Systems

Products:
  • Scratch Addons browser extension
Versions: All versions before 1.3.2
Operating Systems: Windows, macOS, Linux, ChromeOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users with the 'More Links' addon enabled within Scratch Addons

📦 What is this software?

Scratch Addons by Scratchaddons

View all CVEs affecting Scratch Addons →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, data theft, or malware installation through the extension's privileged context

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions within the Scratch platform

🟢

If Mitigated

Limited impact if extension is disabled or updated, with browser sandboxing providing some protection

🌐 Internet-Facing: HIGH - Exploitation requires only visiting a malicious website
🏢 Internal Only: LOW - This is a client-side browser extension vulnerability

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires social engineering to lure victims to malicious websites

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.2

Vendor Advisory: https://github.com/ScratchAddons/ScratchAddons/security/advisories/GHSA-6qfq-px3r-xj4p

Restart Required: No

Instructions:

1. Ensure browser auto-updates are enabled
2. Extension should update automatically to version 1.3.2+
3. Verify version in browser extension manager

🔧 Temporary Workarounds

Disable More Links addon

all

Temporarily disable the vulnerable component while waiting for update

1. Click Scratch Addons extension icon
2. Go to Settings
3. Find 'More Links' addon
4. Toggle to OFF position

Disable Scratch Addons extension

all

Completely disable the extension until patched

1. Navigate to browser extensions page
2. Find Scratch Addons
3. Toggle extension to OFF position

🧯 If You Can't Patch

  • Disable the 'More Links' addon within Scratch Addons settings
  • Use browser security extensions that block XSS attempts

🔍 How to Verify

Check if Vulnerable:

Check Scratch Addons version in browser extensions manager - if version is below 1.3.2 and 'More Links' addon is enabled, you are vulnerable

Check Version:

Browser-specific: Chrome: chrome://extensions/, Firefox: about:addons

Verify Fix Applied:

Verify extension version is 1.3.2 or higher in browser extensions manager

📡 Detection & Monitoring

Log Indicators:

  • Unusual extension activity, unexpected network requests from browser extension

Network Indicators:

  • Requests to unexpected domains from browser extension context

SIEM Query:

Not applicable - client-side browser extension vulnerability

📊 Metadata

CVE ID: CVE-2020-26239
CVSS v3 Score: 7.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N
CWE: CWE-79
Published: November 23, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26239, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)