Critical Cross-site Scripting in Scratch
Cross-site scripting vulnerability was discovered in the SVG rendering engine for Scratch. This can lead to arbitrary code execution when a crafted project is opened on Scratch app (including Scratch Desktop).
This affects Scratch website, all versions of Scratch Desktop and other Scratch 3.0 mods or any applications using Scratch SVG Renderer. The attack is likely to be also possible on Scratch app for Android/Chromebook. A similar problem was also discovered on Forkphorus implementation of the rendering engine.

How to Prevent the Attack
・Scratch website: already patched.
・Scratch Desktop/Scratch app for Windows/macOS: DOWNLOAD AND INSTALL LATEST VERSION 3.17.1. Microsoft Store version is not updated, so use direct download.
・Mods: Pull latest commits of scratch-gui, delete node_modules and package-lock.json and run “npm install” again. If you are editing scratch-svg-renderer, a patch file is available: https://gist.github.com/apple502j/b1a4af80050175d0a23021a38b28ba57 (you need to run “npm install” after applying)
・Forkphorus website: already patched.
・Forkphorus mods: Pull latest commits.

Technical details
・CVE: CVE-2020-7750
・CVSS score: 9.6(Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
・CWE: CWE-79/Improper Neutralization of Input During Web Page Generation

How to get Security Update
Microsoft Store version users? Uninstall and switch to direct download!

macOS App Store
・It should be auto-updated.

Direct download
・Check https://scratch.mit.edu/download for details.

Oh my, this sounds bad.

Just updated the app, so hopefully I'm safe now.

i've updated my signature to spread the word. this is pretty dangerous stuff here apple, you're kinda like a superhero for finding all this!

Should I just uninstall it or do I have to update it?

mtech22 wrote:

Should I just uninstall it or do I have to update it?

It's probably worth reinstalling either way, but definitely do so if you have Microsoft Store version.

duckboycool wrote:

mtech22 wrote:

Should I just uninstall it or do I have to update it?

It's probably worth reinstalling either way, but definitely do so if you have Windows Store version.

I don't have the Windows Store version, so I just uninstalled it. I'm not currently using that device so if i have to reinstall it I will but if it's not I won't

Okay, now I'm scared. I just uninstalled the Microsoft Store version of Scratch Desktop and installed the direct download version.

Jeffalo wrote:

i've updated my signature to spread the word. this is pretty dangerous stuff here apple, you're kinda like a superhero for finding all this!

I'll go ahead and warn people about this in my sig too when I have time to do so.

Is this still an issue if you only open your own projects with the app?

Only when you open bad projects.

Oh dear… The play store won't let me update to that version yet. I just uninstalled it.

I don't get it… what's going on? I did update the app, this sounds important, but I don't get it.

Bluebatstar wrote:

I don't get it… what's going on? I did update the app, this sounds important, but I don't get it.

someone sends you an sb3 (or you open a mallicous sb3) and somehow using some weird stuff it can run mallicous code that can do bad things

Jeffalo wrote:

Bluebatstar wrote:

I don't get it… what's going on? I did update the app, this sounds important, but I don't get it.

someone sends you an sb3 (or you open a mallicous sb3) and somehow using some weird stuff it can run mallicous code that can do bad things

Ok, I get it. I only use my own projects offline, but it's still a risk, nonetheless. I've updated now.

I'll spread word. How did you even find out about this?

GachaN0nsense wrote:

I'll spread word. How did you even find out about this?

They're a bug hunter for websites, AKA a white-hat hacker.

What would the effects of said bug be?

My browser / operating system: ChromeOS (Linux) 13421.53.0, Chrome 86.0.4240.77, No Flash version detected.
Also, am I safe?

I haven't opened any .sb3 files other than my own… but I'll spread word

what this sounds serious though wat is going on

DC382 wrote:

What would the effects of said bug be?

I believe once you load any malicious Scratch 3 file in to any Scratch editor, code can be executed, which can be used to harm your computer.

Let's spread the word!