All,
We fixed a security vulnerability in multiple add-ons and shipped this fix with the patch releases 2.5.12 and 3.0.1.
Please use this topic in case you have any questions about it.
Cheers,
Kai
Details on the XXE attack can be found at XML External Entity (XXE) Processing | OWASP.