XML eXternal Entity (XXE) flaw in ParserPool and Decrypter
The BasicParserPool, StaticBasicParserPool, XML Decrypter, and SAML Decrypter in this package set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.