The GateIn Portal Export / Import Gadget is vulnerable to XXE (XML eXternal Entity) attacks. If the XML provided to the import gadget contains an external XML entity, this XML entity will be resolved. A remote attacker who can access the import gadget could use this flaw to read files in the context of the user running the application server.
Acknowledgements: This issue was discovered by Arun Neelicattu and David Jorm of the Red Hat Security Response Team.
This issue has been addressed in following products: JBoss Enterprise Portal Platform 5.2.2 Via RHSA-2013:0613 https://rhn.redhat.com/errata/RHSA-2013-0613.html