guzzlehttp/guzzle-services: CDATA injection via unsafe XML serialization

guzzlehttp/guzzle-services does not safely serialize scalar XML element values containing the CDATA terminator `]]>`, allowing attacker-controlled input to close the CDATA section early and inject XML markup into outgoing requests.

Applications using guzzlehttp/guzzle-services to serialize outgoing requests with `location: xml` parameters where the value is serialized as XML element text and contains untrusted input not constrained by a safe `enum`, `pattern`, or custom filter that excludes `]]>`.

Upgrade to version 1.5.4 or later, or constrain attacker-controlled XML element values with a strict `enum`, `pattern`, or custom filter that excludes `]]>`, or avoid serializing untrusted data into `location: xml` element text until patched.