Login Sign Up

CVE-2020-7750

9.6 CRITICAL
Cross-Site Scripting

📋 TL;DR

CVE-2020-7750 is a DOM-based cross-site scripting (XSS) vulnerability in scratch-svg-renderer where improper SVG escaping allows attackers to inject arbitrary HTML elements. This affects applications using vulnerable versions of the scratch-svg-renderer package to process SVG content. Users who load untrusted SVG files through affected versions are at risk.

💻 Affected Systems

Products:
  • scratch-svg-renderer
Versions: All versions before 0.2.0-prerelease.20201019174008
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications that use the vulnerable package to render SVG content from untrusted sources.

📦 What is this software?

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

Scratch Svg Renderer by Mit

View all CVEs affecting Scratch Svg Renderer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full account takeover via session hijacking, credential theft, or malware delivery to users through malicious SVG files.

🟠

Likely Case

Limited XSS attacks stealing user data or performing actions within the user's context on the affected application.

🟢

If Mitigated

No impact if proper content security policies (CSP) are enforced and SVG input is sanitized.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction to load malicious SVG content, but no authentication is needed for the XSS payload execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.0-prerelease.20201019174008 and later

Vendor Advisory: https://github.com/LLK/scratch-svg-renderer/commit/9ebf57588aa596c4fa3bb64209e10ade395aee90

Restart Required: No

Instructions:

1. Update package.json to use scratch-svg-renderer version 0.2.0-prerelease.20201019174008 or later. 2. Run npm update scratch-svg-renderer. 3. Rebuild and redeploy your application.

🔧 Temporary Workarounds

Input Sanitization

all

Implement server-side sanitization of SVG content before passing to scratch-svg-renderer.

Content Security Policy

all

Enforce strict CSP headers to block inline script execution.

🧯 If You Can't Patch

  • Disable SVG rendering functionality in affected applications
  • Implement network-level filtering to block SVG file uploads

🔍 How to Verify

Check if Vulnerable:

Check package.json or node_modules/scratch-svg-renderer/package.json for version number.

Check Version:

npm list scratch-svg-renderer

Verify Fix Applied:

Confirm version is 0.2.0-prerelease.20201019174008 or later and test SVG rendering with known malicious payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SVG file uploads
  • JavaScript execution errors from SVG parsing

Network Indicators:

  • SVG files containing script tags or JavaScript URIs

SIEM Query:

source="web_logs" AND (uri="*.svg" OR content="<script" OR content="javascript:")

📊 Metadata

CVE ID: CVE-2020-7750
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79
Published: October 21, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-7750, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)