XXE/XEE attacks are known for quite long time although they are not popular. They can lead to DoS or stealing local files from server with prepared XML requests containing custom XML entities defined.
Current WebService implementation passes request straight to php soap server, which may lead to exposing such vulnerabilities to public. We should patch this component similar to Zend and Symfony (commit #25031 in http://framework.zend.com/code/log.php?repname=Zend+Framework&path=%2Ftrunk%2Flibrary%2FZend%2FSoap%2FServer.php&rev=25031&peg=25176)
I can provide patch soon.
patch for webservice XXE/XEE vulnerability
I'll reopen this if it would be needed. See: #2177 (comment)