CVE-2020-27428
https://notcve.org/view.php?id=CVE-2020-27428
A DOM-based cross-site scripting (XSS) vulnerability in Scratch-Svg-Renderer v0.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted sb3 file. Una vulnerabilidad de tipo cross-site scripting (XSS) basada en DOM en Scratch-Svg-Renderer versión v0.2.0, permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de un archivo sb3 diseñado. • https://github.com/LLK/scratch-svg-renderer/commit/7c74ec7de3254143ec3c557677f5355a90a3d07f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-7750 – Cross-site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2020-7750
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function. Esto afecta al paquete scratch-svg-renderer versiones anteriores a 0.2.0-prerelease.20201019174008. La función loadString no escapa un SVG apropiadamente, que se puede usar para inyectar elementos arbitrarios en el DOM por medio de la función _transformMeasurements • https://www.exploit-db.com/exploits/50079 https://github.com/ossf-cve-benchmark/CVE-2020-7750 https://github.com/LLK/scratch-svg-renderer/commit/9ebf57588aa596c4fa3bb64209e10ade395aee90 https://snyk.io/vuln/SNYK-JS-SCRATCHSVGRENDERER-1020497 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •