Ebase Xi - Unsafe by Default - XXE

In my previous blog post I questioned the safety of the default configuration of Ebase Xi. I knew then that something was wrong as I had already found and reported two vulnerabilities to Ebase. But nothing happened. On the 6th of march, much to my surprise, I got an official Ebase security alert informing me that 'All Ebase Servers are vulnerable to XXE attacks'. Which was one of the two issues I originally reported. Now that its public knowledge you can read this post for full details.