CVE-2022-31094 is a cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the ScratchTools web extension, which facilitates interaction with the Scratch programming language community. The vulnerability exists in versions 2.4.0 up to but not including 2.5.2. The root cause is improper neutralization of user-supplied input during web page generation, specifically in the handling of project titles displayed in the Recently Viewed Projects feature. If a malicious actor creates a Scratch project with JavaScript code embedded in its title, when a user views this project, the JavaScript executes within the context of the ScratchTools extension. This execution can lead to account takeover scenarios, as the malicious script could steal authentication tokens, session cookies, or perform actions on behalf of the user. The issue arises because the extension fails to sanitize or encode the project title before rendering it in the user interface, allowing arbitrary script injection. The vulnerability was addressed in version 2.5.2 of ScratchTools. There are no known exploits in the wild at the time of reporting, and the vendor encourages users experiencing issues to report them via the project’s GitHub issue tracker. The attack vector requires a user to interact with the Recently Viewed Projects feature and view a maliciously crafted project, implying user interaction is necessary. No authentication bypass is indicated, but the vulnerability can lead to compromise of authenticated user accounts once exploited.

For European organizations, the impact of this vulnerability primarily concerns users who utilize the ScratchTools extension to engage with the Scratch community. While Scratch is largely an educational and hobbyist platform, the compromise of user accounts could lead to unauthorized actions within the Scratch ecosystem, including manipulation of projects or misuse of user data. In educational institutions and organizations promoting coding literacy, compromised accounts could disrupt learning activities or be leveraged as a foothold for further social engineering attacks. Additionally, if ScratchTools is used in environments where user credentials overlap with other systems (e.g., shared passwords or linked accounts), there is a risk of broader credential compromise. The vulnerability’s exploitation could also erode trust in educational tools and platforms. However, the scope is limited to users of the affected extension versions, and no direct impact on critical infrastructure or enterprise systems is indicated. Given the absence of known exploits in the wild, the immediate risk is moderate but warrants prompt patching to prevent potential account takeovers.

1. Upgrade to ScratchTools version 2.5.2 or later, where the vulnerability has been fixed by proper input sanitization and encoding. 2. Educate users about the risks of interacting with untrusted Scratch projects, especially those with suspicious or unusual titles. 3. Implement Content Security Policy (CSP) headers if possible within the extension or hosting environment to restrict execution of inline scripts and reduce XSS impact. 4. Monitor user accounts for unusual activity indicative of compromise, such as unexpected project modifications or unauthorized actions. 5. Encourage the use of unique, strong passwords for Scratch accounts to limit the impact of potential credential theft. 6. For organizations deploying ScratchTools in managed environments, consider disabling or restricting the Recently Viewed Projects feature until patched. 7. Regularly audit and review third-party extensions used in educational or organizational contexts to ensure they are up to date and free from known vulnerabilities.