An administrator with workflow definition entitlements can use DTD to perform malicious operations, including but not limited to file read, file write, and code execution.

Improper Restriction of XML External Entity Reference in org.apache.syncope:syncope-core