CVE-2020-7750
published 2020-10-21CVE-2020-7750: This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used…
PriorityP357critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EXPLOIT
EPSS
6.07%
92.5th percentile
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mit | scratch-svg-renderer | — | — |
| mit | scratch-svg-renderer | — | — |
| mit | scratch-svg-renderer | >= 0 < 0.2.0-prerelease.20201019174008 | 0.2.0-prerelease.20201019174008 |
| mit | scratch-svg-renderer | >= unspecified < 0.2.0-prerelease.20201019174008 | 0.2.0-prerelease.20201019174008 |
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cross-Site Scripting in scratch-svg-renderer
ghsa·2020-11-09
CVE-2020-7750 [HIGH] CWE-79 Cross-Site Scripting in scratch-svg-renderer
Cross-Site Scripting in scratch-svg-renderer
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
OSV
Cross-Site Scripting in scratch-svg-renderer
osv·2020-11-09
CVE-2020-7750 [HIGH] Cross-Site Scripting in scratch-svg-renderer
Cross-Site Scripting in scratch-svg-renderer
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
No detection rules found.
No writeups or analysis indexed.
2020-10-21
Published