I haven't really been posting advisories on this website for the past year, however a series of XML Injection/XXe vulnerabilities in Adobe products caught my eye. XML Injection is to web services, what XSS is to web pages (an attacker controllable application response able to perform abuses against the consumer). This advisory provides a good explanation and examples of these rarely discussed attack types.

BlazeDS 3.2 and earlier versions

LiveCycle 9.0, 8.2.1, and 8.0.1

LiveCycle Data Services 3.0, 2.6.1, and 2.5.1

Flex Data Services 2.0.1

ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2

Products affected

For those interested in attacking XML consumers and Web Services be sure to also check out the WASC Threat Classification's list of XML related attacks.

Full Advisory: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf

Adobe Patches: http://www.adobe.com/support/security/bulletins/apsb10-05.html

Mitre CVE-2009-3960: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3960