Skip to main content

Go to Calendar     Go to Press Room     Go to Newsletters subscription

  • INCIBE
    • Your Help in Cybersecurity
      • FAQ
    • Training
    • Cibercooperantes Program
    • Press Room
    • Corporate information
      • What is INCIBE
          1. Organisation chart
          2. Internal regulations
      • What we do
      • How do we operate
      • Who we work with
          1. European projects participation
          2. Memberships
          3. Network of excellence on cybersecurity R&D&i
          4. Companies
      • Contracting Organisation Profile
      • Calendar
  • INCIBE-CERT
    • Early Warning
      • Security Advisories
      • ICS Advisories
      • Vulnerabilities
          1. CNA
          2. CVE assignment and publication
          3. Coordinated CVEs
          4. Participating CNAs
    • Blog
    • Publications
      • Cybersecurity Highlights
      • Guides
      • Webinars
      • Segmented
    • Incidents
      • Incident responses
    • Services
    • About us
      • What is INCIBE-CERT
      • PGP Public keys
      • TLP
      • Vulnerability disclosure policy
      • RFC 2350
  • CITIZENS
    • Seniors
    • We help you
      • Tu Ayuda en Ciberseguridad
      • Reporte de fraude
    • Security tools
    • Temáticas
  • MINORS
    • Educators
    • Families
      • Parental Mediation
      • Cybersecurity
    • Youth
    • Hotline
  • Companies
    • We help you
      • Tu Ayuda en Ciberseguridad
    • TemáTICas
  • EVENTS
    • SID
    • Cybersecurity Summer BootCamp
    • ENISE
    • CyberCamp
  • DIGITAL SPAIN 2026
    • Cybersecurity Entrepreneurship
    • NCC-ES INCIBE
    • Internationalization
      • New Markets
      • Exterior Visibility
      • Foreign Investment
 
Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT
  • INCIBE
    •  
    • Your Help in Cybersecurity
      •  
      • FAQ
    • Training
    • Cibercooperantes Program
    • Press Room
    • Corporate information
      •  
      • What is INCIBE
        •  
          1. Organisation chart
          2. Internal regulations
      • What we do
      • How do we operate
      • Who we work with
        •  
          1. European projects participation
          2. Memberships
          3. Network of excellence on cybersecurity R&D&i
          4. Companies
      • Contracting Organisation Profile
      • Calendar
  • INCIBE-CERT
    •  
    • Early Warning
      •  
      • Security Advisories
      • ICS Advisories
      • Vulnerabilities
        •  
          1. CNA
          2. CVE assignment and publication
          3. Coordinated CVEs
          4. Participating CNAs
    • Blog
    • Publications
      •  
      • Cybersecurity Highlights
      • Guides
      • Webinars
      • Segmented
    • Incidents
      •  
      • Incident responses
    • Services
    • About us
      •  
      • What is INCIBE-CERT
      • PGP Public keys
      • TLP
      • Vulnerability disclosure policy
      • RFC 2350
  • CITIZENS
    •  
    • Seniors
    • We help you
      •  
      • Tu Ayuda en Ciberseguridad
      • Reporte de fraude
    • Security tools
    • Temáticas
  • MINORS
    •  
    • Educators
    • Families
      •  
      • Parental Mediation
      • Cybersecurity
    • Youth
    • Hotline
  • Companies
    •  
    • We help you
      •  
      • Tu Ayuda en Ciberseguridad
    • TemáTICas
  • EVENTS
    •  
    • SID
    • Cybersecurity Summer BootCamp
    • ENISE
    • CyberCamp
  • DIGITAL SPAIN 2026
    •  
    • Cybersecurity Entrepreneurship
    • NCC-ES INCIBE
    • Internationalization
      •  
      • New Markets
      • Exterior Visibility
      • Foreign Investment

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

  1. Home
  2. INCIBE-CERT
  3. Early warning
  4. Vulnerabilities
  5. CVE-2025-53904

CVE-2025-53904

Severity CVSS v4.0:
LOW
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
16/07/2025
Last modified:
17/07/2025

Description

The Scratch Channel is a news website that is under development as of time of this writing. The file `/api/admin.js` contains code that could make the website vulnerable to cross-site scripting. No known patches exist as of time of publication.

Impact

Vector 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U CVSS v4.0 Severity and Metrics:

Base Score: 1.30 LOW
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): None
User Interaction (UI): Passsive
Confidentiality (VC): None
Integrity (VI): None
Availability (VA): None
Confidentiality (SC): Low
Integrity (SI): Low
Availability (SA): None
Exploit Maturity (E): Unreported

Base Score 4.0
1.30
Severity 4.0
LOW

References to Advisories, Solutions, and Tools

  • https://github.com/The-Scratch-Channel/the-scratch-channel.github.io/blob/main/api/admin.js#L18
  • https://github.com/The-Scratch-Channel/the-scratch-channel.github.io/security/advisories/GHSA-hgh4-pj74-f5rr
INCIBE-CERT

Newsletter subscription

Nipo: 094-20-022-9

Follow us:  Link to INCIBE-CERT's Twitter Link to INCIBE-CERT's Linkedin Link to INCIBE-CERT's YouTube account

  • Contact
  • Personal Data Protection Policy
  • Legal notice
  • Configure cookies
  • Cookies policy
  • Site Map
  • Contracting Organisation Profile

Funded by the European Union - Next Generation EU

 

Government of Spain. Ministry for digital transformation and public service. Secretary of state for for Telecommunications and Digital Infrastructures

Recovery, Transformation and Resilience Plan

 

Conformity Certification
Aenor Security Information
Aenor Registered Company

Nipo: 094-20-027-6

INCIBE on Twitter INCIBE on Instagram INCIBE on Linkedin INCIBE on Facebook INCIBE on YouTube

×

imagen ampliada

Go top