(In reply to comment #3)
> I agree with Thomas.
I agree with Thomas and Jeremias as well.
> However, it might be a good idea to write some documentation about it so
> users are reminded to secure their applications.
Decreasing severity and moving this to the "Web Site" component, more in the sense of "Documentation" (which doesn't exist); "javadoc" alone doesn't feel right as well: I'd say that these sort of reminders belong to a higher level than Javadoc, although probably something might be done in code documentation as well.
(In reply to comment #0)
> During visualization with Squiggle or rasterization via the CLI tool, XML
> external entities defined in the DTD are dereferenced and the content of the
> target file is included in the output.
> The impact of this vulnerability range form denial of service to file
> disclosure. Under Windows, it can also be used to steal LM/NTLM hashes.
First of all, thanks for the report!
Thomas has provided a good insight about this potential issue in comment #2. Based in the feedback and in a few performed tests, I'd say the example provided is roughly equivalent to an ECMAScript getURL fetching the "/etc/passwd" (using the "file" protocol).
If you still believe this can be considered a security issue then please adjust the priority accordingly. In any case, elaborating a bit longer would help - for further understanding what can be involved or (simply) to serve as base for the documentation improvements.