CVE-2020-24591
MEDIUMWSO2 Management Console - XML External Entity Injection via EventReceiver Updates
Title source: manualDescription
The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0728
Scores
CVSS v3
6.5
EPSS
0.0103
EPSS Percentile
59.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
Details
CWE
CWE-611
Status
published
Products (7)
wso2/api_manager
< 3.0.0
wso2/api_manager_analytics
2.2.0
wso2/api_manager_analytics
2.5.0
wso2/api_microgateway
2.2.0
wso2/enterprise_integrator
6.2.0
wso2/enterprise_integrator
6.3.0
wso2/identity_server_analytics
< 5.6.0
Published
Aug 21, 2020
Tracked Since
Feb 18, 2026