Skip to content

Cross-Site Scripting in scratch-svg-renderer

High severity GitHub Reviewed Published Nov 9, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm scratch-svg-renderer (npm)

Affected versions

<= 0.2.0-prerelease.20201016121710

Patched versions

0.2.0-prerelease.20201019174008

Description

This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.

References

Reviewed Nov 9, 2020
Published to the GitHub Advisory Database Nov 9, 2020
Last updated Jan 9, 2023

Severity

High

Weaknesses

CVE ID

CVE-2020-7750

GHSA ID

GHSA-j977-g5vj-j27g

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.