CVE-2020-12719
HIGHWSO2 API Manager < 3.0.0 - XML External Entity Injection via EventPublisher Update
Title source: llmDescription
XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0665
Scores
CVSS v3
7.2
EPSS
0.0103
EPSS Percentile
59.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-611
Status
published
Products (7)
wso2/api_manager
< 3.0.0
wso2/api_manager_analytics
< 2.5.0
wso2/api_microgateway
2.2.0
wso2/enterprise_integrator
< 6.4.0
wso2/identity_server
< 5.9.0
wso2/identity_server_analytics
< 5.6.0
wso2/identity_server_as_key_manager
< 5.9.0
Published
May 08, 2020
Tracked Since
Feb 18, 2026