A form validation method that accepts XML does not perform permission checks. This allows users with Overall/Read permission to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.