Advisories for Pypi/Xml2rfc package

2025

xml2rfc has file inclusion irregularities

Version 3.12.0 changed xml2rfc so that it would not access local files without the presence of its new –allow-local-file-access flag. This prevented XML External Entity (XXE) injection attacks with xinclude and XML entity references. It was discovered that xml2rfc does not respect –allow-local-file-access when a local file is specified as src in artwork or sourcecode elements. Furthermore, XML entity references can include any file inside the source dir and below …

2022