XML External Entity (XXE) Injection

com.twelvemonkeys.imageio, imageio-metadata is vulnerable to XML external entity injection attacks. The vulnerability exist in parseDirectories function in XMPReader.javadue to lack of validation in XML parser which allows attackers to submit malicious XML and gain access to sensitive information.