Headline
CVE-2022-31094
ScratchTools is a web extension designed to make interacting with the Scratch programming language community (Scratching) easier. In affected versions anybody who uses the Recently Viewed Projects feature is vulnerable to having their account taken over if they view a project that tries to. The issue is that if a user visits a project that includes Javascript in the title, then when the Recently Viewed Projects feature displays it, it could run the Javascript. This issue has been addressed in the 2.5.2 release. Users having issues scratching should open an issue in the project issue tracker https://github.com/STForScratch/ScratchTools/
Impact
Anybody who uses the Recently Viewed Projects feature is vulnerable to having their account taken IF they view a project that tries to. The issue is that if a user visits a project that includes Javascript in the title, then when the Recently Viewed Projects feature displays it, it could run the Javascript.
Patches
The problem has not yet been patched, but we’re working on fixing it and it should be working safely very soon. It will be easy to fix, and we will likely implement an emergency feature shutdown too.
Workarounds
You’ll have to turn off the Recently Viewed Projects feature, or just not visit any sites that include dangerous Javascript in the title.
References
Thank you to GarboMuffin for discovering and reporting this issue.
For more information
If you have any questions or comments about this advisory:
- Open an issue in ScratchTools
- Email us at [email protected]