A critical vulnerability has been fixed in Crowd, a single sign-on (SSO) and identity management tool used by large organizations. The vulnerability stems from the way in which Crowd parses external XML entities defined in Document Type Definition (DTD) headers. An attacker can exploit the vulnerability by sending requests with specially crafted entity URLs in order to trick the server into returning any file from the internal network that it has access to. The new issue has been assigned the CVE-2013-3925 identifier and was fixed in the latest stable version of the product.”]