The XML parser don't disable the inline DTDs parsing by default or do not provide a mean to disable it AFAIK.
The XML parsing engine in SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Unauthenticated attackers on the same LAN can use this vulnerability to:
Access arbitrary files from the filesystem with the same permission as the user account running UMS.
Initiate SMB connections to capture NetNTLM challenge/response and crack to clear-text password.
Initiate SMB connections to relay NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
The XML parser don't disable the inline DTDs parsing by default or do not provide a mean to disable it AFAIK.
The XML parsing engine in SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Unauthenticated attackers on the same LAN can use this vulnerability to:
Exploitation can be demonstrated using evil-ssdp (https://gitlab.com/initstring/evil-ssdp).