CVE-2020-7750

Published: Oct 21, 2020

Modified: Sep 16, 2024

PUBLISHED

CVSS v3.1

9.6

CRITICAL

Description

This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.

Vendor	Product	Versions
n/a	scratch-svg-renderer	affected `unspecified - < 0.2.0-prerelease.20201019174008`

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://snyk.io/vuln/SNYK-JS-SCRATCHSVGRENDERER-1020497

x_refsource_MISC

https://github.com/LLK/scratch-svg-renderer/commit/9ebf57588aa596c4fa3bb64209e10ade395aee90

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-7750

Description

Affected Products

CVSS v3.1 Details

References