A security fix is available for Fusion that plugs up a security hole in XML2JSON.php to prevent XML External Entity injection attacks and should be applied as soon as possible. This fix has been made available for Fusion for MapGuide Open Source 2.2 and newer releases.
To apply this fix, locate the appropriate patch archive for your applicable version of MapGuide Open Source, and extract the XML2JSON.php within that zip file to the common\php directory of your Fusion installation, overwriting the existing XML2JSON.php file.
For example on Windows, if your fusion installation is in C:\Program Files\OSGeo\MapGuide\Web\www\fusion, then extract the zip file into C:\Program Files\OSGeo\MapGuide\Web\www\fusion\common\php and overwrite the existing XML2JSON.php file
For example on Linux, if your fusion installation is in /usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion, then extract the zip file into /usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion/common/php and overwrite the existing XML2JSON.php file