Lucene search
HistoryOct 21, 2020 - 5:15 p.m.
CVE-2020-7750
cve-2020-7750
scratch-svg-renderer
security vulnerability
dom injection
nvd
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.2 High
AI Score
Confidence
High
0.006 Low
EPSS
Percentile
78.4%
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
Affected configurations
Node
mitscratch-svg-rendererMatch0.1.0-node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease1515799461node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease1515800444node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180117145116node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180117210827node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180118201049node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180118201241node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180118224509node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180124043252node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180124054052node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180210005926node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180329174139node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180423193917node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180508170432node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180510171850node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180510181711node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180511144653node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180514170126node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180521194642node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180524204036node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180524210316node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180531205843node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180531214630node.js
ORmitscratch-svg-rendererMatch0.1.0prerelease20180605140533node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20180605154326node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20180607141644node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20180613184320node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20180618172917node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20180711180400node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20180712223402node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20180817005452node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20180821210632node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20180907141232node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20180926143036node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20181017193458node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20181024192149node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20181101210634node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20181126212715node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20181212190400node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20181212222326node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20181212230607node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20181213165142node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20181213192400node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20181218153528node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20181220183040node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20190109201344node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20190110205335node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20190125192231node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20190304180800node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20190329052730node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20190419183947node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20190521170426node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20190523193400node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20190715144718node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20190715153806node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20190820171249node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20190822193232node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20190822202608node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20191031221353node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20191104164753node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20191217211338node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20200103191258node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20200103211543node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20200109070519node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20200205003215node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20200205003400node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20200507183648node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20200604203226node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20200609210443node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20200610220938node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20201008203328node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20201009194722node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20201009195807node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20201009202925node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20201009211507node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20201011114003node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20201012151417node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20201013123302node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20201013184332node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20201014105708node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20201014130133node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20201014145347node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20201015122106node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20201015135047node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20201015194358node.js
ORmitscratch-svg-rendererMatch0.2.0prerelease20201016121710node.js
CNA Affected
[
{
"product": "scratch-svg-renderer",
"vendor": "n/a",
"versions": [
{
"lessThan": "0.2.0-prerelease.20201019174008",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
]Related
osv
osv
Cross-Site Scripting in scratch-svg-renderer
2020-11-09 14:21:17
CVE-2020-7750
2020-10-21 17:15:13
nvd
nvd
CVE-2020-7750
2020-10-21 17:15:13
nodejs
nodejs
Cross-Site Scripting in scratch-svg-renderer
2020-11-09 14:24:31
githubexploit
githubexploit
Exploit for Cross-site Scripting in Mit Scratch-Svg-Renderer
2020-12-08 13:40:01
github
github
Cross-Site Scripting in scratch-svg-renderer
2020-11-09 14:21:17
packetstorm
packetstorm
Scratch Desktop 3.17 Code Execution / Cross Site Scripting
2021-07-02 00:00:00
prion
prion
Code injection
2020-10-21 17:15:00
cvelist
cvelist
CVE-2020-7750 Cross-site Scripting (XSS)
2020-10-21 00:00:00
zdt
zdt
exploitdb
exploitdb
Scratch Desktop 3.17 - Remote Code Execution
2021-07-02 00:00:00
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.2 High
AI Score
Confidence
High
0.006 Low
EPSS
Percentile
78.4%
Related for CVE-2020-7750