XML external entity (XXE) injection

<!DOCTYPE foo [

<!ELEMENT foo ANY>

<!ENTITY xxe SYSTEM "file:///etc/passwd">

]>

<foo>&xxe;</foo>

Most xml parsers are vulnerable to XXE injection by default.

You need to configure them to be safe

(src: Book: release it! - Michael Nygard)