4 matches found
CVE-2021-46250
The CVE-2021-46250 entry concerns ScratchOAuth2, specifically its SOA2Login::commented path prior to commit a91879bd58fa83b09283c0708a1864cdf067c64a, which allows an attacker to authenticate as other users on downstream components relying on ScratchOAuth2. The vulnerability’s impact is described ...
CVE-2021-46249
The CVE-2021-46249 issue is an authorization bypass in ScratchOAuth2’s SpecificApps REST API that can be exploited via a user-controlled key to let app owners set flags indicating an app is verified. Root cause: API-level authorization bypass enabling modification of verification status without p...
CVE-2021-46251
ScratchOAuth2 is affected by a reflected XSS vulnerability disclosed as CVE-2021-46251. The issue lies in the POST request handling before commit 1603f04e44ef67dde6ccffe866d2dca16defb293, where insufficient input validation/filtering allows an attacker to inject and execute arbitrary web scripts ...
CVE-2021-29437
ScratchOAuth2 is an OAuth implementation for Scratch. A third party can read and modify data that a user could, by tricking the user into posting a ScratchOAuth2 login code, enabling the third party to complete login and gain full access to the user’s Scratch account. The attack proceeds via a us...