4 matches found
Remote Code Execution
Overview MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain characters, resulting in remote code execution because the URL's content is treated as a script and is executed as a worker. The...
Remote Code Execution in scratch-vm
MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain characters, resulting in remote code execution because the URL's content is treated as a script and is executed as a worker. The responsible code...
CVE-2020-14000
MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain characters, resulting in remote code execution because the URL's content is treated as a script and is executed as a worker. The responsible code...
CVE-2020-14000
Scratch-vm prior to 0.2.0-prerelease.20200714185213 is vulnerable: getExtensionIdForOpcode in serialization/sb3.js loads extension URLs from untrusted project.json files, treating the content as a script and executing it as a worker due to underscores in URLs. This leads to remote code execution....