NVD脆弱性詳細

CVE-2020-7750

概要	This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
公表日	2020年10月22日2:15
登録日	2021年1月26日12:01
最終更新日	2024年11月21日14:37

CVSS3.1 : CRITICAL
スコア	9.6
ベクター	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	要
影響の想定範囲(S)	変更あり
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高

CVSS2.0 : MEDIUM
スコア	6.8
ベクター	AV:N/AC:M/Au:N/C:P/I:P/A:P
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	低
全ての特権を取得	いいえ
ユーザー権限を取得	いいえ
その他の権限を取得	いいえ
ユーザー操作が必要	はい

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:-::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease1515799461::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease1515800444::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180117145116::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180117210827::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180118201049::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180118201241::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180118224509::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180124043252::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180124054052::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180210005926::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180329174139::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180423193917::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180508170432::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180510171850::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180510181711::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180511144653::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180514170126::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180521194642::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180524204036::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180524210316::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180531205843::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180531214630::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180605140533::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180605154326::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180607141644::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180613184320::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180618172917::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180711180400::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180712223402::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180817005452::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180821210632::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180907141232::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180926143036::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181017193458::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181024192149::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181101210634::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181126212715::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181212190400::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181212222326::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181212230607::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181213165142::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181213192400::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181218153528::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181220183040::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190109201344::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190110205335::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190125192231::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190304180800::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190329052730::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190419183947::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190521170426::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190523193400::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190715144718::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190715153806::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190820171249::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190822193232::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190822202608::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20191031221353::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20191104164753::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20191217211338::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200103191258::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200103211543::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200109070519::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200205003215::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200205003400::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200507183648::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200604203226::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200609210443::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200610220938::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201008203328::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201009194722::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201009195807::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201009202925::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201009211507::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201011114003::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201012151417::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201013123302::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201013184332::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201014105708::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201014130133::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201014145347::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201015122106::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201015135047::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201015194358::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201016121710::::node.js::*

構成1	以上	以下	より上	未満
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:-::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease1515799461::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease1515800444::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180117145116::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180117210827::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180118201049::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180118201241::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180118224509::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180124043252::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180124054052::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180210005926::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180329174139::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180423193917::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180508170432::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180510171850::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180510181711::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180511144653::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180514170126::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180521194642::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180524204036::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180524210316::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180531205843::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180531214630::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.1.0:prerelease20180605140533::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180605154326::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180607141644::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180613184320::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180618172917::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180711180400::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180712223402::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180817005452::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180821210632::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180907141232::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20180926143036::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181017193458::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181024192149::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181101210634::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181126212715::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181212190400::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181212222326::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181212230607::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181213165142::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181213192400::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181218153528::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20181220183040::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190109201344::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190110205335::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190125192231::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190304180800::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190329052730::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190419183947::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190521170426::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190523193400::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190715144718::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190715153806::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190820171249::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190822193232::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20190822202608::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20191031221353::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20191104164753::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20191217211338::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200103191258::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200103211543::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200109070519::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200205003215::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200205003400::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200507183648::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200604203226::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200609210443::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20200610220938::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201008203328::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201009194722::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201009195807::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201009202925::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201009211507::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201011114003::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201012151417::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201013123302::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201013184332::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201014105708::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201014130133::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201014145347::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201015122106::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201015135047::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201015194358::::node.js::*
cpe:2.3:a:mit:scratch-svg-renderer:0.2.0:prerelease20201016121710::::node.js::*

No	URL	タグ
1	https://github.com/LLK/scratch-svg-renderer/commit/9ebf57588aa596c4fa3bb64209e10ade395aee90	Patch Third Party Advisory
2	https://github.com/LLK/scratch-svg-renderer/commit/9ebf57588aa596c4fa3bb64209e10ade395aee90	Patch Third Party Advisory
3	https://snyk.io/vuln/SNYK-JS-SCRATCHSVGRENDERER-1020497	Third Party Advisory
4	https://snyk.io/vuln/SNYK-JS-SCRATCHSVGRENDERER-1020497	Third Party Advisory

タイトル	scratch-svg-renderer におけるクロスサイトスクリプティングの脆弱性
概要	scratch-svg-renderer には、クロスサイトスクリプティングの脆弱性が存在します。
想定される影響	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2020年10月16日0:00
登録日	2021年5月7日16:13
最終更新日	2021年5月7日16:13

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-7750	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7750
National Vulnerability Database (NVD)
2	CVE-2020-7750	https://nvd.nist.gov/vuln/detail/CVE-2020-7750

No	名前	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

No	名前	URL
GitHub
1	Merge pull request #179 from LLK/hotfix/purify-just-in-time	https://github.com/LLK/scratch-svg-renderer/commit/9ebf57588aa596c4fa3bb64209e10ade395aee90

No	名前	URL
関連文書
1	SNYK-JS-SCRATCHSVGRENDERER-1020497 (Affecting scratch-svg-renderer package, versions <0.2.0-prerelease.20201019174008)	https://snyk.io/vuln/SNYK-JS-SCRATCHSVGRENDERER-1020497