WSO2 API Manager 3.0.0 and earlier Improper Restriction of XML External Entity Reference Vulnerability
In event-receiver component, secure processing feature has not been enabled for XML parsers to prevent XXE attacks.
The information has been provided by Krzysztof Przybylski
The original article can be found at:https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0727
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
WSO2 API Manager 3.0.0 and earlier
WSO2 API Microgateway 2.2.0
WSO2 IS as Key Manager 5.9.0 and earlier