Description

The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.

Remediation

References

https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0728

Related Vulnerabilities

CVE-2019-10414 Vulnerability in maven package de.wellnerbou.jenkins:git-changelog

CVE-2017-17837 Vulnerability in maven package org.apache.deltaspike.modules:jsf-module-project

CVE-2020-10714 Vulnerability in maven package org.wildfly.security:wildfly-elytron

CVE-2022-38370 Vulnerability in maven package org.apache.iotdb:iotdb-grafana-connector

CVE-2022-34186 Vulnerability in maven package com.moded.extendedchoiceparameter:dynamic_extended_choice_parameter

Severity

High

Classification

CWE-611 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H

Tags

Vendor Advisory