Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWo5NzctZzV2ai1qMjdn

Cross-Site Scripting in scratch-svg-renderer

This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.

Permalink: https://github.com/advisories/GHSA-j977-g5vj-j27g
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWo5NzctZzV2ai1qMjdn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago

CVSS Score: 9.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Identifiers: GHSA-j977-g5vj-j27g, CVE-2020-7750
References:

Repository: https://github.com/LLK/scratch-svg-renderer
Blast Radius: 23.5

Affected Packages

npm:scratch-svg-renderer

Dependent packages: 98
Dependent repositories: 264
Downloads: 11,810 last month
Affected Version Ranges: <= 0.2.0-prerelease.20201016121710
Fixed in: 0.2.0-prerelease.20201019174008
All affected versions: 0.1.0, 0.2.0-prerelease.20180605154326, 0.2.0-prerelease.20180607141644, 0.2.0-prerelease.20180613184320, 0.2.0-prerelease.20180618172917, 0.2.0-prerelease.20180711180400, 0.2.0-prerelease.20180712223402, 0.2.0-prerelease.20180817005452, 0.2.0-prerelease.20180821210632, 0.2.0-prerelease.20180907141232, 0.2.0-prerelease.20180926143036, 0.2.0-prerelease.20181017193458, 0.2.0-prerelease.20181024192149, 0.2.0-prerelease.20181101210634, 0.2.0-prerelease.20181126212715, 0.2.0-prerelease.20181212190400, 0.2.0-prerelease.20181212222326, 0.2.0-prerelease.20181212230607, 0.2.0-prerelease.20181213165142, 0.2.0-prerelease.20181213192400, 0.2.0-prerelease.20181218153528, 0.2.0-prerelease.20181220183040, 0.2.0-prerelease.20190109201344, 0.2.0-prerelease.20190110205335, 0.2.0-prerelease.20190125192231, 0.2.0-prerelease.20190304180800, 0.2.0-prerelease.20190329052730, 0.2.0-prerelease.20190419183947, 0.2.0-prerelease.20190521170426, 0.2.0-prerelease.20190523193400, 0.2.0-prerelease.20190715144718, 0.2.0-prerelease.20190715153806, 0.2.0-prerelease.20190820171249, 0.2.0-prerelease.20190822193232, 0.2.0-prerelease.20190822202608, 0.2.0-prerelease.20191031221353, 0.2.0-prerelease.20191104164753, 0.2.0-prerelease.20191217211338, 0.2.0-prerelease.20200103191258, 0.2.0-prerelease.20200103211543, 0.2.0-prerelease.20200109070519, 0.2.0-prerelease.20200205003215, 0.2.0-prerelease.20200205003400, 0.2.0-prerelease.20200507183648, 0.2.0-prerelease.20200604203226, 0.2.0-prerelease.20200609210443, 0.2.0-prerelease.20200610220938, 0.2.0-prerelease.20201008203328, 0.2.0-prerelease.20201009194722, 0.2.0-prerelease.20201009195807, 0.2.0-prerelease.20201009202925, 0.2.0-prerelease.20201009211507, 0.2.0-prerelease.20201011114003, 0.2.0-prerelease.20201012151417, 0.2.0-prerelease.20201013123302, 0.2.0-prerelease.20201013184332, 0.2.0-prerelease.20201014105708, 0.2.0-prerelease.20201014130133, 0.2.0-prerelease.20201014145347, 0.2.0-prerelease.20201015122106, 0.2.0-prerelease.20201015135047, 0.2.0-prerelease.20201015194358, 0.2.0-prerelease.20201016121710
All unaffected versions: 0.2.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 1.0.17, 1.0.18, 1.0.19, 1.0.20, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.20, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.3.13, 2.3.14, 2.3.15, 2.3.16, 2.3.17, 2.3.18, 2.3.19, 2.3.20, 2.3.21, 2.3.22, 2.3.23, 2.3.24, 2.3.25, 2.3.26, 2.3.27, 2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37, 2.3.38, 2.3.39, 2.3.40, 2.3.41