Description
XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier.
Remediation
References
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0665
Related Vulnerabilities
CVE-2021-21347 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2023-39156 Vulnerability in maven package org.jenkins-ci.plugins:bazaar
CVE-2018-1000111 Vulnerability in maven package org.jenkins-ci.plugins:subversion
CVE-2016-4436 Vulnerability in maven package org.apache.struts:struts2-core
CVE-2020-2202 Vulnerability in maven package org.jenkins-ci.plugins:fortify-on-demand-uploader