CyberSec.Space Logo
返回 CVE 浏览器

CVE-2021-29437

HIGH
8.0
CVSS Severity Score
EPSS Score0.0060%
EPSS Percentile0.21th
Published2021年4月13日
Last Modified2024年11月21日

Vulnerability Description

ScratchOAuth2 is an Oauth implementation for Scratch. Any ScratchOAuth2-related data normally accessible and modifiable by a user can be read and modified by a third party. 1. Scratch user visits 3rd party site. 2. 3rd party site asks user for Scratch username. 3. 3rd party site pretends to be user and gets login code from ScratchOAuth2. 4. 3rd party site gives code to user and instructs them to post it on their profile. 5. User posts code on their profile, not knowing it is a ScratchOAuth2 login code. 6. 3rd party site completes login with ScratchOAuth2. 7. 3rd party site has full access to anything the user could do if they directly logged in. See referenced GitHub security advisory for patch notes and workarounds.

Affected Platforms (CPE)

📦
Scratchoauth2 Project

Scratchoauth2

< 2021-04-13

References & Advisories

🔗 https://github.com/ScratchVerifier/ScratchOAuth2/commit/9220c2a77eda3df37a84486ad722f1ad0985d8e7
🔗 https://github.com/ScratchVerifier/ScratchOAuth2/security/advisories/GHSA-gvpg-23fh-8g75
🔗 https://github.com/ScratchVerifier/ScratchOAuth2/commit/9220c2a77eda3df37a84486ad722f1ad0985d8e7
🔗 https://github.com/ScratchVerifier/ScratchOAuth2/security/advisories/GHSA-gvpg-23fh-8g75

相关漏洞威胁

CVE-2021-4625010.0

An issue in SOA2Login::commented of ScratchOAuth2 before commit a91879bd58fa83b09283c0708a1864cdf067c64a allows attackers to authe...

CVE-2021-462496.5

An authorization bypass exploited by a user-controlled key in SpecificApps REST API in ScratchOAuth2 before commit d856dc704b2504c...

CVE-2021-462516.1

A reflected cross-site scripting (XSS) in ScratchOAuth2 before commit 1603f04e44ef67dde6ccffe866d2dca16defb293 allows attackers to...

CVE-2026-48777

FileBrowser Quantum is a free, self-hosted, web-based file manager. Versions prior to 1.3.2-stable, 1.4.0-beta and 1.4.1-beta are ...