Thanks Scott. I was going for a reading like this as well, but there's a little too much ambiguity in the original wording for me to feel comfortable reading it like that. I say that considering that the CVSSv3 score assigned to this vulnerability (7.5) is rather high if the bug requires you to load untrusted XML parsers to be effective.
-- Sent from: http://apache-xml-project.6118.n7.nabble.com/Apache-XML-Security-Dev-f33675.html
