The parseDocument() in PushDownXmlHandler.java does not disable the xml external entity when parsing the xml. When the parsed resource is under the control of the attacker, the xml external entity attack may be constructed by constructing a malicious xml.
The parseDocument() in PushDownXmlHandler.java does not disable the xml external entity when parsing the xml. When the parsed resource is under the control of the attacker, the xml external entity attack may be constructed by constructing a malicious xml.