The GateIn Portal Export / Import Gadget is vulnerable to XXE (XML eXternal Entity) attacks. If the XML provided to the import gadget contains an external XML entity, this XML entity will be resolved. A remote attacker who can access the import gadget could use this flaw to read files in the context of the user running the application server.
This issue was discovered by Arun Neelicattu and David Jorm of the Red Hat Security Response Team.
This issue has been addressed in following products:
JBoss Enterprise Portal Platform 5.2.2
Via RHSA-2013:0613 https://rhn.redhat.com/errata/RHSA-2013-0613.html