Description
This affects the package scratch-svg-renderer before 0.2.0-prerelease.20201019174008. The loadString function does not escape SVG properly, which can be used to inject arbitrary elements into the DOM via the _transformMeasurements function.
Remediation
References
https://snyk.io/vuln/SNYK-JS-SCRATCHSVGRENDERER-1020497
https://github.com/LLK/scratch-svg-renderer/commit/9ebf57588aa596c4fa3bb64209e10ade395aee90
Related Vulnerabilities
CVE-2018-3749 Vulnerability in maven package org.webjars.npm:deap
CVE-2016-10654 Vulnerability in npm package sfml
CVE-2019-10785 Vulnerability in maven package org.webjars.bower:dojox
CVE-2011-4838 Vulnerability in maven package org.jruby:jruby
CVE-2015-8859 Vulnerability in maven package org.webjars.npm:send