Juraj Somorovsky and Tibor Jager from Ruhr University Bochum (RUB) found a weakness in the way XML Encryption (W3C standard) messages are processed by compliant implementations. The attack is chosen-ciphertext type and it only works if AES in CBC mode is used. The standard allows AES-128, AES-256 and AES-192 and 3DES in CBC mode. The attack doesn’t work if 3DES is used.
http://aktuell.ruhr-uni-bochum.de/pm2011/pm00330.html.en