{"id":"CVE-2020-7750","details":"This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.","aliases":["GHSA-j977-g5vj-j27g"],"modified":"2026-04-09T07:20:28.065008Z","published":"2020-10-21T17:15:13.343Z","related":["SNYK-JS-SCRATCHSVGRENDERER-1020497"],"references":[{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-JS-SCRATCHSVGRENDERER-1020497"},{"type":"FIX","url":"https://github.com/LLK/scratch-svg-renderer/commit/9ebf57588aa596c4fa3bb64209e10ade395aee90"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/llk/scratch-svg-renderer","events":[{"introduced":"0"},{"last_affected":"6365e0bed26ff350ac584d2e62f310979a0956bd"},{"introduced":"0"},{"last_affected":"5db68845b6130bf3768998f58ad9c0b778f66217"},{"introduced":"0"},{"last_affected":"a2a46638838ad5d518cf80db44e9d44fdc830314"},{"introduced":"0"},{"last_affected":"62ea2d4df65fe719336242b9c705f277e368c39d"},{"introduced":"0"},{"last_affected":"af4207f8f70e8291688b49dbe499872719474b5f"},{"introduced":"0"},{"last_affected":"e37d95be95f2f07fd5a57a6717ce1834f0c5819b"},{"introduced":"0"},{"last_affected":"1832f390952a1eb3b8da97143a7dff99b96be39d"},{"introduced":"0"},{"last_affected":"5db68845b6130bf3768998f58ad9c0b778f66217"},{"introduced":"0"},{"last_affected":"21d8f1668f6a8926280f9a9247b062c8ec6957fd"},{"introduced":"0"},{"last_affected":"9ebf57588aa596c4fa3bb64209e10ade395aee90"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20201009195807"},{"introduced":"0"},{"last_affected":"0.2.0-prerelease20201009202925"},{"introduced":"0"},{"last_affected":"0.2.0-prerelease20201009211507"},{"introduced":"0"},{"last_affected":"0.2.0-prerelease20201011114003"},{"introduced":"0"},{"last_affected":"0.2.0-prerelease20201012151417"},{"introduced":"0"},{"last_affected":"0.2.0-prerelease20201014105708"},{"introduced":"0"},{"last_affected":"0.2.0-prerelease20201014145347"},{"introduced":"0"},{"last_affected":"0.2.0-prerelease20201015122106"},{"introduced":"0"},{"last_affected":"0.2.0-prerelease20201015135047"},{"introduced":"0"},{"last_affected":"0.2.0-prerelease20201015194358"}]}},{"type":"GIT","repo":"https://github.com/scratchfoundation/scratch-svg-renderer","events":[{"introduced":"0"},{"fixed":"9ebf57588aa596c4fa3bb64209e10ade395aee90"}]}],"versions":["0.2.0-prerelease.20201009195807","0.2.0-prerelease.20201009202925","0.2.0-prerelease.20201009211507","0.2.0-prerelease.20201011114003","0.2.0-prerelease.20201012151417","0.2.0-prerelease.20201014105708","0.2.0-prerelease.20201014145347","0.2.0-prerelease.20201015122106","0.2.0-prerelease.20201015135047","0.2.0-prerelease.20201015194358"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"0.1.0-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease1515799461"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease1515800444"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180117145116"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180117210827"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180118201049"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180118201241"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180118224509"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180124043252"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180124054052"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180210005926"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180329174139"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180423193917"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180508170432"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180510171850"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180510181711"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180511144653"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180514170126"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180521194642"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180524204036"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180524210316"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180531205843"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180531214630"}]},{"events":[{"introduced":"0"},{"last_affected":"0.1.0-prerelease20180605140533"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20180605154326"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20180607141644"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20180613184320"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20180618172917"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20180711180400"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20180712223402"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20180817005452"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20180821210632"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20180907141232"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20180926143036"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20181017193458"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20181024192149"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20181101210634"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20181126212715"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20181212190400"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20181212222326"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20181212230607"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20181213165142"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20181213192400"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20181218153528"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20181220183040"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20190109201344"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20190110205335"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20190125192231"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20190304180800"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20190329052730"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20190419183947"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20190521170426"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20190523193400"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20190715144718"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20190715153806"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20190820171249"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20190822193232"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20190822202608"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20191031221353"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20191104164753"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20191217211338"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20200103191258"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20200103211543"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20200109070519"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20200205003215"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20200205003400"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20200507183648"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20200604203226"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20200609210443"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20200610220938"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20201008203328"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20201009194722"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20201013123302"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20201013184332"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20201014130133"}]},{"events":[{"introduced":"0"},{"last_affected":"0.2.0-prerelease20201016121710"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7750.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}]}