CVE-2020-13883

In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle...

CVE-2020-27885

Cross-Site Scripting XSS vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s password and invalidate the session of th...

CVE-2019-6512

An issue was discovered in WSO2 API Manager 2.6.0. It is possible to force the application to perform requests to the internal workstation SSRF port-scanning, other adjacent workstations SSRF network scanning, or to enumerate files because of the existence of the file:// wrapper...

CVE-2019-20436

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect's URI and adds it as the service provider claim dialect while configurin...

CVE-2019-6515

An issue was discovered in WSO2 API Manager 2.6.0. Uploaded documents for API documentation are available to an unauthenticated user...

CVE-2019-20441

An issue was discovered in WSO2 API Manager 2.6.0. A potential Stored Cross-Site Scripting XSS vulnerability has been identified in the 'implement phase' of the API Publisher...

CVE-2019-15108

An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the file-upload feature of the event simulator component...

CVE-2019-20442

An issue was discovered in WSO2 API Manager 2.6.0, WSO2 Enterprise Integrator 6.5.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. A potential stored Cross-Site Scripting XSS vulnerability in roleToAuthorize has been identified in the registry UI...

WSO2多款产品 安全漏洞

WSO2 API Manager and others are products of WSO2, Inc. of the U.S. WSO2 API Manager is an API lifecycle management solution.WSO2 Identity Server IS is an identity server.WSO2 Open Banking AM is an open banking gas pedal. A security vulnerability exists in several WSO2 products that stems from a...

WSO2 API Manager和WSO2 Identity Server（IS） 跨站脚本漏洞

WSO2 API Manager and WSO2 Identity Server IS are both products of WSO2, Inc.WSO2 API Manager is an API lifecycle management solution.WSO2 Identity Server is an identity server. A cross-site scripting vulnerability exists in WSO2 API Manager and WSO2 Identity Server IS, which stems from a lack of...

CVE-2025-2905

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity XXE resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: Read sensitive files from the...

WSO2 API Manager XML External Entity (XXE) vulnerability

An XML External Entity XXE vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution. This vulnerability can be exploited by ...

GHSA-H94W-8QHG-3XMC WSO2 API Manager XML External Entity (XXE) vulnerability

An XML External Entity XXE vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution. This vulnerability can be exploited by ...

CVE-2025-2905

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity XXE resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: Read sensitive files from the...

CVE-2025-2905

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity XXE resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: Read sensitive files from the...

CVE-2025-2905 An XML External Entity (XXE) vulnerability in Multiple WSO2 Products

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity XXE resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: Read sensitive files from the...

CVE-2025-2905

The CVE-2025-2905 entry describes an XML External Entity (XXE) vulnerability in the WSO2 API Manager gateway component due to insufficient validation of XML input. The issue allows unauthenticated remote attackers to read server filesystem files and perform denial-of-service (DoS) attacks. Affect...

CVE-2025-2905 An XML External Entity (XXE) vulnerability in Multiple WSO2 Products

Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity XXE resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: Read sensitive files from the...

WSO2 API Manager 安全漏洞

WSO2 API Manager is a suite of API lifecycle management solutions from US-based WSO2. A security vulnerability exists in WSO2 API Manager version 2.0.0 and prior versions, which stems from insufficient validation of XML inputs to the gateway component and could lead to XML external entity injecti...

PT-2025-19376

Name of the Vulnerable Software and Affected Versions WSO2 API Manager versions 2.0.0 and earlier Description An XML External Entity XXE vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed...