Discuss Scratch
- Discussion Forums
- » Advanced Topics
- » Critical Bug in SVG Renderer, Update Scratch App ASAP!
- DancingNekoGirl
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
Well, I think if you have the app you should update it anyways. If you're using the site, then you're good.yeah i'm using phone sometimes Oh. Um what about mobile users? i use google chrome for ipad
Last edited by DancingNekoGirl (Oct. 26, 2020 22:41:35)
- Chiroyce
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
Using the website with any browser is fine, the bug has been fixed in the website.
- Scratcher-402
- Scratcher
100+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
Does this apply to Scratux?
- Chiroyce
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
Does this apply to Scratux?
It applies to the offline editor and the app of Scratch 3.0. Older versions and the website aren’t affected.
- apple502j
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
Yes. Scratux is not updated since May. Does this apply to Scratux?
- mrCamelCase
- Scratcher
100+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
Only just now found this, hopefully no problems?
Edit: It seems like you're only in serious trouble if you've downloaded and executed a .sb3 file you didn't make. Since I only work on my stuff I'm probably fine, but I've updated anyways. Thanks for the heads up!
Edit: It seems like you're only in serious trouble if you've downloaded and executed a .sb3 file you didn't make. Since I only work on my stuff I'm probably fine, but I've updated anyways. Thanks for the heads up!
Last edited by mrCamelCase (Oct. 27, 2020 13:29:58)
- MrFluffyPenguins
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
yeah this seems like an issue. i hope the ST makes an announcement about it!
Last edited by MrFluffyPenguins (Oct. 27, 2020 13:50:33)
- mtech22
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
yes, only 3.0 is affected Is 2.0 okay?
- Andwhydoyouseegam
- Scratcher
23 posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
Critical Cross-site Scripting in Scratch
Cross-site scripting vulnerability was discovered in the SVG rendering engine for Scratch. This can lead to arbitrary code execution when a crafted project is opened on Scratch app (including Scratch Desktop).
This affects Scratch website, all versions of Scratch Desktop and other Scratch 3.0 mods or any applications using Scratch SVG Renderer. The attack is likely to be also possible on Scratch app for Android/Chromebook. A similar problem was also discovered on Forkphorus implementation of the rendering engine.
How to Prevent the Attack
・Scratch website: already patched.
・Scratch Desktop/Scratch app for Windows/macOS: DOWNLOAD AND INSTALL LATEST VERSION 3.17.1. Microsoft Store version is not updated, so use direct download.
・Mods: Pull latest commits of scratch-gui, delete node_modules and package-lock.json and run “npm install” again. If you are editing scratch-svg-renderer, a patch file is available: https://gist.github.com/apple502j/b1a4af80050175d0a23021a38b28ba57 (you need to run “npm install” after applying)
・Forkphorus website: already patched.
・Forkphorus mods: Pull latest commits.
Technical details
・CVE: CVE-2020-7750
・CVSS score: 9.6(Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
・CWE: CWE-79/Improper Neutralization of Input During Web Page Generation
How to get Security Update
Microsoft Store version users? Uninstall and switch to direct download!
macOS App Store
・It should be auto-updated.
Direct download
・Check https://scratch.mit.edu/download for details.
Cross-site scripting vulnerability was discovered in the SVG rendering engine for Scratch. This can lead to arbitrary code execution when a crafted project is opened on Scratch app (including Scratch Desktop).
This affects Scratch website, all versions of Scratch Desktop and other Scratch 3.0 mods or any applications using Scratch SVG Renderer. The attack is likely to be also possible on Scratch app for Android/Chromebook. A similar problem was also discovered on Forkphorus implementation of the rendering engine.
How to Prevent the Attack
・Scratch website: already patched.
・Scratch Desktop/Scratch app for Windows/macOS: DOWNLOAD AND INSTALL LATEST VERSION 3.17.1. Microsoft Store version is not updated, so use direct download.
・Mods: Pull latest commits of scratch-gui, delete node_modules and package-lock.json and run “npm install” again. If you are editing scratch-svg-renderer, a patch file is available: https://gist.github.com/apple502j/b1a4af80050175d0a23021a38b28ba57 (you need to run “npm install” after applying)
・Forkphorus website: already patched.
・Forkphorus mods: Pull latest commits.
Technical details
・CVE: CVE-2020-7750
・CVSS score: 9.6(Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
・CWE: CWE-79/Improper Neutralization of Input During Web Page Generation
How to get Security Update
Microsoft Store version users? Uninstall and switch to direct download!
macOS App Store
・It should be auto-updated.
Direct download
・Check https://scratch.mit.edu/download for details.
- wgyt
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
If you are using the scratch website you should be fine, if you use the mobile app, update to 3.17.1Oh. Um what about mobile users? i use google chrome for ipad snip
- thatfoodorange
- Scratcher
9 posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
i'm using the siteWell, I think if you have the app you should update it anyways. If you're using the site, then you're good.yeah i'm using phone sometimes Oh. Um what about mobile users? i use google chrome for ipad
Last edited by thatfoodorange (Oct. 27, 2020 22:10:35)
- MeIzAwezomeDede
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
*laughs in 2.0*
Really though this seems pretty bad
Really though this seems pretty bad
- lambodhar
- Scratcher
41 posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
you sure of this?
- Krokophant
- Scratcher
100+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
So why is this dangerous?
- DancingNekoGirl
- Scratcher
1000+ posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
Well, you can get all sorts of things, like viruses. Oh, and there's the risk of your personal data being stolen. So why is this dangerous?
- Andwhydoyouseegam
- Scratcher
23 posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
when I receive money [ v]
play sound lol [ v] until done
- thatfoodorange
- Scratcher
9 posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
when I receive money [ v]play sound lol [ v] until done
play sound [lol v] until done
- Andwhydoyouseegam
- Scratcher
23 posts
Critical Bug in SVG Renderer, Update Scratch App ASAP!
when I receive money [ v]play sound lol [ v] until doneplay sound [lol v] until done