npm package
scratch-svg-renderer
pkg:npm/scratch-svg-renderer
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-27428 | — | <= 0.2.0 | — | Jan 5, 2022 | A DOM-based cross-site scripting (XSS) vulnerability in Scratch-Svg-Renderer v0.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted sb3 file. | ||
| CVE-2020-7750 | — | < 0.2.0-prerelease.20201019174008 | 0.2.0-prerelease.20201019174008 | Oct 21, 2020 | This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function. |
- CVE-2020-27428Jan 5, 2022affected <= 0.2.0
A DOM-based cross-site scripting (XSS) vulnerability in Scratch-Svg-Renderer v0.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted sb3 file.
- CVE-2020-7750Oct 21, 2020affected < 0.2.0-prerelease.20201019174008fixed 0.2.0-prerelease.20201019174008
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.