The XWiki JIRA extension allows data leak through an XXE attack by using a fake JIRA server
If the JIRA macro is installed, any logged in XWiki user could edit his/her user profile wiki page and use that JIRA macro, specifying a fake JIRA URL that returns an XML specifying a DOCTYPE pointing to a local file on the XWiki server host and displaying that file's content in one of the returned JIRA fields (such as the summary or description for example). For example: <?xml version="1.0" encoding="UTF-8"?> …