Advisories for Pypi/Xml2rfc package

When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the XML.

Version 3.12.0 changed xml2rfc so that it would not access local files without the presence of its new –allow-local-file-access flag. This prevented XML External Entity (XXE) injection attacks with xinclude and XML entity references. It was discovered that xml2rfc does not respect –allow-local-file-access when a local file is specified as src in artwork or sourcecode elements. Furthermore, XML entity references can include any file inside the source dir and below …

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in xml2rfc.