Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:25972
HistoryJul 28, 2020 - 5:29 a.m.

Remote Code Execution (RCE)

2020-07-2805:29:53
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
9
remote code execution
serialization
scratch-vm
vulnerability
extension url
attacker
worker

EPSS

0.043

Percentile

92.4%

scratch-vm is vulnerable to remote code execution(RCE). It does not escape extension URL values in the function getExtensionIdForOpcode in serialization/sb3.js, allowing an attacker to inject _ characters and execute it as a worker.

EPSS

0.043

Percentile

92.4%