7.5
CVE-2024-8010
- EPSS 0.27%
- Veröffentlicht 16.04.2026 10:16:14
- Zuletzt bearbeitet 23.04.2026 15:35:27
- Quelle ed10eef1-636d-4fbe-9993-6890df
- CVE-Watchlists
- Unerledigt
XML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wso2 ≫ Api Manager Version >= 3.2.0 < 3.2.0.397
Wso2 ≫ Api Manager Version >= 3.2.1 < 3.2.1.27
Wso2 ≫ Api Manager Version >= 4.0.0 <= 4.0.0.310
Wso2 ≫ Api Manager Version >= 4.1.0 < 4.1.0.171
Wso2 ≫ Api Manager Version >= 4.2.0 < 4.2.0.127
Wso2 ≫ Api Manager Version >= 4.3.0 < 4.3.0.39
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.27% | 0.188 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| ed10eef1-636d-4fbe-9993-6890dfa878f8 | 3.5 | 2.1 | 1.4 |
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
CWE-611 Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/