When all of the following applies:
1) The application has a remoted method accepting XML data as input through a DOM parameter.
2) The DOM parameter is converted with one of the DWR DOM converters (DOMConverter, JDOMConverter, DOM4JConverter or XOMConverter).
3) There is a way to fetch the parsed XML from the outside.
then an attacker may be able to view private data.
Big thanks to Takeshi Terada of Mitsui Bussan Secure Directions and JPCERT for reporting this issue:
Implementation checked in.