bw-webdav is vulnerable to XML external entities attacks (XXE). The parseContent
function in webdav/servlet/common/MethodBase.java
and the processXML
function in webdav/servlet/common/PostRequestPars.java
do not implement secure XML parsing which would allow a remote attacker to perform XXE attacks against the application via specially crafted XML file.