Vulnerability Description
The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wso2 | Api Manager | <= 3.0.0 |
| Wso2 | Api Manager Analytics | 2.2.0 |
| Wso2 | Api Microgateway | 2.2.0 |
| Wso2 | Enterprise Integrator | 6.2.0 |
| Wso2 | Identity Server Analytics | <= 5.6.0 |
Related Weaknesses (CWE)
References
- https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0728Vendor Advisory
- https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0728Vendor Advisory
FAQ
What is CVE-2020-24591?
CVE-2020-24591 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, ...
How severe is CVE-2020-24591?
CVE-2020-24591 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-24591?
Check the references section above for vendor advisories and patch information. Affected products include: Wso2 Api Manager, Wso2 Api Manager Analytics, Wso2 Api Microgateway, Wso2 Enterprise Integrator, Wso2 Identity Server Analytics.