org.codehaus.plexus.util.xml#writeComment(XMLWriter, String, int, int, int) does not check if the comment includes a "-->" sequence. This means that text contained in the command string could be interpreted as XML, possibly leading to XML injection issues, depending on how this method is being called.
Similarly, org.codehaus.plexus.util.xml.pull.MXSerializer should avoid XML injection throw comments, processing instructions, CDATA sections, etc.
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle. Changing version to '20'. More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora20
This is feature request and as such it has been forwarded upstream: http://jira.codehaus.org/browse/PLXUTILS-177
Re-reported here: https://github.com/codehaus-plexus/plexus-utils/issues/3 https://github.com/sonatype/plexus-utils/issues/19
Fixed in upstream version 3.0.24