On 3/4/15, 6:23 PM, "Michael Glavassevich" <mrgla...@ca.ibm.com> wrote:
> >-1. XXE is not a vulnerability in the parser. It may be a vulnerability >for an application/product, but that is the developer's responsibility to >apply proper configuration to protect themselves in the right context. The issue is a trade-off between the time to do a release and the value of changing a default. It's not a vulnerability and nobody said it was. If you want to claim that the other vulnerability is in fact not a vulnerability, then that would be new and valuable information to me, which is why I asked about it again in this thread. -- Scott