Description
The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.
Remediation
References
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0728
Related Vulnerabilities
CVE-2020-2289 Vulnerability in maven package org.biouno:uno-choice
CVE-2015-3269 Vulnerability in maven package org.apache.flex.blazeds:flex-messaging-core
CVE-2016-5388 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2019-0224 Vulnerability in maven package org.apache.jspwiki:jspwiki-builder
CVE-2019-10475 Vulnerability in maven package org.jenkins-ci.plugins:build-metrics