Moodle is susceptible to XML external entity (XXE) injection attacks. The attacks exist because mod/imscp/locallib.php
does not filter the input XML files to the IMSCC course format or the IMSCP resource, thereby allowing attackers to input malicious XML files and read server-side files.