AS we're using simpleXML for xml reading still, we need to use libxml_disable_entity_loader(true); for XXE security patch

Classes/PHPExcel/Settings.php

@@ -377,6 +377,7 @@ class PHPExcel_Settings
      */
     public static function getLibXmlLoaderOptions()
     {
+        libxml_disable_entity_loader(true);
         if (is_null(self::$_libXmlLoaderOptions)) {
             self::$_libXmlLoaderOptions = LIBXML_DTDLOAD | LIBXML_DTDATTR;
         }