CVE-2020-10799: SVGlib Vulnerable to XXE Attacks

May 6, 2021 (updated October 28, 2024)

The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call.

References

github.com/advisories/GHSA-3vcg-8p79-jpcv
github.com/deeplook/svglib
github.com/deeplook/svglib/commit/35686a130ed260c71a382a8f83d41fd31a46704d
github.com/deeplook/svglib/issues/229
github.com/pypa/advisory-database/tree/main/vulns/svglib/PYSEC-2020-111.yaml
nvd.nist.gov/vuln/detail/CVE-2020-10799

Detect and mitigate CVE-2020-10799 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →