The software does not restrict a reference to a Document Type
Definition (DTD) to the intended control sphere. This might allow attackers to
reference arbitrary DTDs, possibly causing the software to expose files, consume
excessive system resources, or execute arbitrary http requests on behalf of the
attacker.