I haven't really been posting advisories on this website for the past year, however a series of XML Injection/XXe vulnerabilities in Adobe products caught my eye. XML Injection is to web services, what XSS is to web pages (an attacker controllable application response able to perform abuses against the consumer). This advisory provides a good explanation and examples of these rarely discussed attack types.

• BlazeDS 3.2 and earlier versions
• LiveCycle 9.0, 8.2.1, and 8.0.1
• LiveCycle Data Services 3.0, 2.6.1, and 2.5.1
• Flex Data Services 2.0.1
• ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2

For those interested in attacking XML consumers and Web Services be sure to also check out the WASC Threat Classification's list of XML related attacks.

Full Advisory: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
Adobe Patches: http://www.adobe.com/support/security/bulletins/apsb10-05.html
Mitre CVE-2009-3960: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3960