It's possible to inject file via XML
vulners.com/securityvulns/securityvulns:doc:27835
vulners.com/securityvulns/securityvulns:doc:27872