Cross-Site Scripting in scratch-svg-renderer · CVE-2020-7750 · GitHub Advisory Database · GitHub

Cross-Site Scripting in scratch-svg-renderer

High severity GitHub Reviewed Published Nov 9, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

scratch-svg-renderer (npm)

Affected versions

<= 0.2.0-prerelease.20201016121710

Patched versions

0.2.0-prerelease.20201019174008

Description

This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.

References

Reviewed Nov 9, 2020

Published to the GitHub Advisory Database Nov 9, 2020

Last updated Jan 9, 2023

⚡