CVE-2025-10713
6.5
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
Summary
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.
A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WSO2 | WSO2 Enterprise Integrator | 0 < 6.6.0 | unknown |
| WSO2 | WSO2 Enterprise Integrator | 6.6.0 < 6.6.0.223 | affected |
| WSO2 | WSO2 API Control Plane | 4.5.0 < 4.5.0.27 | affected |
| WSO2 | WSO2 Universal Gateway | 4.5.0 < 4.5.0.25 | affected |
| WSO2 | WSO2 Traffic Manager | 4.5.0 < 4.5.0.25 | affected |
| WSO2 | WSO2 API Manager | 0 < 3.1.0 | unknown |
| WSO2 | WSO2 API Manager | 3.1.0 < 3.1.0.344 | affected |
| WSO2 | WSO2 API Manager | 3.2.0 < 3.2.0.445 | affected |
| WSO2 | WSO2 API Manager | 3.2.1 < 3.2.1.65 | affected |
| WSO2 | WSO2 API Manager | 4.0.0 < 4.0.0.365 | affected |
| WSO2 | WSO2 API Manager | 4.1.0 < 4.1.0.227 | affected |
| WSO2 | WSO2 API Manager | 4.2.0 < 4.2.0.167 | affected |
| WSO2 | WSO2 API Manager | 4.3.0 < 4.3.0.79 | affected |
| WSO2 | WSO2 API Manager | 4.4.0 < 4.4.0.43 | affected |
| WSO2 | WSO2 API Manager | 4.5.0 < 4.5.0.26 | affected |
| WSO2 | WSO2 Identity Server | 0 < 5.10.0 | unknown |
| WSO2 | WSO2 Identity Server | 5.10.0 < 5.10.0.373 | affected |
| WSO2 | WSO2 Identity Server | 5.11.0 < 5.11.0.417 | affected |
| WSO2 | WSO2 Identity Server | 7.1.0 < 7.1.0.29 | affected |
| WSO2 | WSO2 Open Banking IAM | 0 < 2.0.0 | unknown |
| WSO2 | WSO2 Open Banking IAM | 2.0.0 < 2.0.0.413 | affected |
| WSO2 | WSO2 Open Banking AM | 0 < 2.0.0 | unknown |
| WSO2 | WSO2 Open Banking AM | 2.0.0 < 2.0.0.393 | affected |
| WSO2 | WSO2 Identity Server as Key Manager | 0 < 5.10.0 | unknown |
| WSO2 | WSO2 Identity Server as Key Manager | 5.10.0 < 5.10.0.363 | affected |
| WSO2 | org.wso2.carbon.mediation:org.wso2.carbon.localentry | 4.7.30 < 4.7.30.46 | affected |
| WSO2 | org.wso2.carbon.mediation:org.wso2.carbon.localentry | 4.7.61 < 4.7.61.61 | affected |
| WSO2 | org.wso2.carbon.mediation:org.wso2.carbon.localentry | 4.7.99 < 4.7.99.303 | affected |
| WSO2 | org.wso2.carbon.mediation:org.wso2.carbon.localentry | 4.7.131 < 4.7.131.21 | affected |
| WSO2 | org.wso2.carbon.mediation:org.wso2.carbon.localentry | 4.7.175 < 4.7.175.29 | affected |
| WSO2 | org.wso2.carbon.mediation:org.wso2.carbon.localentry | 4.7.188 < 4.7.188.11 | affected |
| WSO2 | org.wso2.carbon.mediation:org.wso2.carbon.localentry | 4.7.204 < 4.7.204.12 | affected |
| WSO2 | org.wso2.carbon.mediation:org.wso2.carbon.localentry | 4.7.221 < 4.7.221.6 | affected |
| WSO2 | org.wso2.carbon.mediation:org.wso2.carbon.localentry | 4.7.245 < 4.7.245.6 | affected |
| WSO2 | org.wso2.carbon.mediation:org.wso2.carbon.localentry | 4.7.259 <= * | unaffected |
Weaknesses
- CWE-611: CWE-611 Improper Restriction of XML External Entity Reference
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.