WSO2 API Manager 3.0.0 and earlier Improper Restriction of XML External Entity Reference Vulnerability
In event-publisher component, secure processing feature has not been enabled for XML parsers to prevent XXE attacks.
The information has been provided by Paweł Hałdrzyński
The original article can be found at:https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0665
XXE during an EventPublisher update can occur in Management Console
WSO2 API Manager 3.0.0 and earlier
WSO2 API Manager Analytics 2.5.0 and earlier
WSO2 API Microgateway 2.2.0
WSO2 Enterprise Integrator 6.4.0 and earlier
IS as Key Manager 5.9.0 and earlier
Identity Server 5.9.0 and earlier
Identity Server Analytics 5.6.0 and earlier.