The default configuration for Liferay DXP 7.1 and Liferay Digital Enterprise 7.0 allow attackers to conduct XML External Entity (XXE) attacks via XSL templates in XSL Content and Web Content.
Possible Mitigation Actions
Choose the one which is most suitable for your installation.
A.) Create a file called com.liferay.portal.template.xsl.configuration.XSLEngineConfiguration.config with content secureProcessingEnabled=true and place it into LIFERAY_HOME/osgi/configs
B.) Navigate to Control Panel - System Settings - <Platform/Foundation> - Template Engines - XSL Engine and enable "Secure Processing Enabled"
C.) Install a Fix Pack which includes the fix for this
D.) Request a new Hotfix which includes the fix for this