apple502j

6 exploits Active since Oct 2020
CVE-2020-26239 WRITEUP HIGH WRITEUP
Scratch Addons < 1.3.2 - DOM-based Cross-Site Scripting in More Links Addon
Scratch Addons is a WebExtension that supports both Chrome and Firefox. Scratch Addons before version 1.3.2 is vulnerable to DOM-based XSS. If the victim visited a specific website, the More Links addon of the Scratch Addons extension used incorrect regular expression which caused the HTML-escaped values to be unescaped, leading to XSS. Scratch Addons version 1.3.2 fixes the bug. The extension will be automatically updated by the browser. More Links addon can be disabled via the option of the extension.
CVSS 7.6
CVE-2021-46249 WRITEUP MEDIUM WRITEUP
scratchoauth2 < 2021-04-12 - Authorization Bypass via User-Controlled Key in SpecificApps REST API
An authorization bypass exploited by a user-controlled key in SpecificApps REST API in ScratchOAuth2 before commit d856dc704b2504cd3b92cf089fdd366dd40775d6 allows app owners to set flags that indicate whether an app is verified on their own apps.
CVSS 6.5
CVE-2021-46250 WRITEUP CRITICAL WRITEUP
ScratchOAuth2 <a91879bd58fa83b09283c0708a1864cdf067c64a - Auth Bypass
An issue in SOA2Login::commented of ScratchOAuth2 before commit a91879bd58fa83b09283c0708a1864cdf067c64a allows attackers to authenticate as other users on downstream components that rely on ScratchOAuth2.
CVSS 10.0
CVE-2021-46251 WRITEUP MEDIUM WRITEUP
ScratchOAuth2 <commit 1603f04e44ef67dde6ccffe866d2dca16defb293 - XSS
A reflected cross-site scripting (XSS) in ScratchOAuth2 before commit 1603f04e44ef67dde6ccffe866d2dca16defb293 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.
CVSS 6.1
CVE-2021-46252 WRITEUP MEDIUM WRITEUP
Scratch Wiki scratch-confirmaccount-v3 - CSRF
A Cross-Site Request Forgery (CSRF) in RequirementsBypassPage.php of Scratch Wiki scratch-confirmaccount-v3 allows attackers to modify account request requirement bypasses.
CVSS 6.5
CVE-2020-7750 EXPLOITDB CRITICAL text WORKING POC
scratch-svg-renderer < 0.2.0-prerelease.20201019174008 - Cross-Site Scripting via SVG Injection in loadString
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
CVSS 9.6