Remote Code Execution (RCE)

scratch-vm is vulnerable to remote code executionRCE. It does not escape extension URL values in the function getExtensionIdForOpcode in serialization/sb3.js, allowing an attacker to inject characters and execute it as a worker...

GHSA-VC9J-FHVV-8VRF Remote Code Execution in scratch-vm

MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain characters, resulting in remote code execution because the URL's content is treated as a script and is executed as a worker. The responsible code...

Remote Code Execution in scratch-vm

MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain characters, resulting in remote code execution because the URL's content is treated as a script and is executed as a worker. The responsible code...

Deserialization of untrusted data

MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain characters, resulting in remote code execution because the URL's content is treated as a script and is executed as a worker. The responsible code...

CVE-2020-14000

Scratch-vm prior to 0.2.0-prerelease.20200714185213 is vulnerable: getExtensionIdForOpcode in serialization/sb3.js loads extension URLs from untrusted project.json files, treating the content as a script and executing it as a worker due to underscores in URLs. This leads to remote code execution....