CVE-2020-12719

XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier.

Published: May 8, 2020
Updated: Apr 13, 2023
CVE: CVE-2020-12719
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.2
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
wso2 / identity_server_analytics	-	5.6.0.x
wso2 / identity_server	-	5.9.0.x
wso2 / identity_server_as_key_manager	-	5.9.0.x
wso2 / enterprise_integrator	-	6.4.0.x
wso2 / api_microgateway	2.2.0	2.2.0.x
wso2 / api_manager_analytics	-	2.5.0.x
wso2 / api_manager	-	3.0.0.x

https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0665

Vulnerability Database

289,697

CVE-2020-12719