CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2020-24704
https://notcve.org/view.php?id=CVE-2020-24704
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1. Se detectó un problema en determinados productos WSO2. La herramienta Try It permite un ataque de tipo XSS Reflejado. • https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0685 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.7EPSS: 0%CPEs: 7EXPL: 0CVE-2020-12719
https://notcve.org/view.php?id=CVE-2020-12719
XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier. Una vulnerabilidad de tipo XXE durante una actualización de EventPublisher puede presentarse en Management Console en WSO2 API Manager versiones 3.0.0 y anteriores, API Manager Analytics versiones 2.5.0 y anteriores, API Microgateway versión 2.2.0, Enterprise Integrator versiones 6.4.0 y anteriores, IS as Key Manager versiones 5.9.0 y anteriores, Identity Server versiones 5.9.0 y anteriores, e Identity Server Analytics versiones 5.6.0 y anteriores. • https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0665 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2020-11885
https://notcve.org/view.php?id=CVE-2020-11885
WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file. WSO2 Enterprise Integrator versiones hasta 6.6.0, tiene una vulnerabilidad de tipo XXE en la que un usuario (con acceso a la consola de administración) puede usar el validador XML para hacer invocaciones de red no intencionadas tales como SSRF por medio de un archivo cargado. • https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0684 • CWE-611: Improper Restriction of XML External Entity Reference CWE-918: Server-Side Request Forgery (SSRF) •