GHSA-cf4q-4cqr-7g7w – xml2rfc

Package

Manager: pip
Name: xml2rfc
Vulnerable Version: >=0 <3.12.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

SVG with embedded scripts can lead to cross-site scripting attacks in xml2rfc xml2rfc allows `script` elements in SVG sources. In HTML output having these script elements can lead to XSS attacks. Sample XML snippet: ``` <artwork type="svg" src="data:image/svg+xml,%3Csvg viewBox='0 0 10 10' xmlns='http://www.w3.org/2000/svg'%3E%3Cscript%3E window.alert('Test Alert'); %3C/script%3E%3C/svg%3E"> </artwork> ``` ### Impact This vulnerability impacts website that publish HTML drafts and RFCs. ### Patches This has been fixed in version [3.12.4](https://github.com/ietf-tools/xml2rfc/releases/tag/v3.12.4). ### Workarounds If SVG source is self-contained within the XML, scraping `script` elements from SVG files. ### References * https://developer.mozilla.org/en-US/docs/Web/SVG/Element/script ### For more information If you have any questions or comments about this advisory: * Open an issue in [xml2rfc](https://github.com/ietf-tools/xml2rfc/) * Email us at [operational-vulnerability@ietf.org](mailto:operational-vulnerability@ietf.org) * [Infrastructure and Services Vulnerability Disclosure](https://www.ietf.org/about/administration/policies-procedures/vulnerability-disclosure/)

Metadata

Created: 2022-04-22T20:25:53Z
Modified: 2022-04-22T20:25:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-cf4q-4cqr-7g7w/GHSA-cf4q-4cqr-7g7w.json
CWE IDs: ["CWE-79"]
Alternative ID: N/A
Finding: F008
Auto approve: 1