The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF. ~ eleix (Security Padawan) Reproducible: Didn't try
*** This bug has been marked as a duplicate of bug 636976 ***