WSO2 Identity Application Management Component is vulnerable to XML external entity attacks. The vulnerability exists in unmarshalSP
function in ApplicationManagementServiceImpl.java
because the SP file content is not parsed securely during unmarshalling which allows an attacker to gain access to sensitive information and perform unauthorized actions.
packetstormsecurity.com/files/167465/WSO2-Management-Console-XML-Injection.html
seclists.org/fulldisclosure/2022/Jun/7
docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1289
github.com/advisories/GHSA-rjgm-f3mv-p89p
github.com/wso2/carbon-identity-framework/commit/e9119883ee02a884f3c76c7bbc4022a4f4c58fc0
github.com/wso2/carbon-identity-framework/pull/3472