cbcvebase.
CVE-2020-7750
published 2020-10-21

CVE-2020-7750: This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used…

PriorityP357critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EXPLOIT
EPSS
6.07%
92.5th percentile
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.

Affected

4 ranges
VendorProductVersion rangeFixed in
mitscratch-svg-renderer
mitscratch-svg-renderer
mitscratch-svg-renderer>= 0 < 0.2.0-prerelease.202010191740080.2.0-prerelease.20201019174008
mitscratch-svg-renderer>= unspecified < 0.2.0-prerelease.202010191740080.2.0-prerelease.20201019174008

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.