CVE-2025-10713
Essential information
- Published
- 05/11/2025 18:15
- Modified
- 04/12/2025 21:07
- Author
- —
- Creator
- —
- CVSS
- 6.5 MEDIUM (v3.1)
- CISA KEV
- No
- CWE
- —
- CVSS vector
-
—
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H—
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- NETWORK
- Attack complexity
- LOW
- Privileges required
- HIGH
- User interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality impact
- HIGH
- Integrity impact
- NONE
- Availability impact
- HIGH
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Attack requirements
- —
- Privileges required
- —
- User interaction
- —
- Confidentiality (V)
- —
- Confidentiality (S)
- —
- Integrity (V)
- —
- Integrity (S)
- —
- Availability (V)
- —
- Availability (S)
- —
- Exploit maturity
- —
Description
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities.
A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.
NVD status
- Status
- Analyzed — CVE has had analysis completed and all data associations made.
- Source
- ed10eef1-636d-4fbe-9993-6890dfa878f8
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| wso2 / api control plane | cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:* |
| wso2 / api manager | cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:* |
| wso2 / api manager | cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:* |
| wso2 / api manager | cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:* |
| wso2 / api manager | cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:* |
| wso2 / api manager | cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:* |
| wso2 / api manager | cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:* |
| wso2 / api manager | cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:* |
| wso2 / api manager | cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:* |
| wso2 / api manager | cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:* |
| wso2 / enterprise integrator | cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:* |
| wso2 / identity server | cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:* |
| wso2 / identity server | cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:* |
| wso2 / identity server | cpe:2.3:a:wso2:identity_server:7.1.0:-:*:*:*:*:*:* |
| wso2 / open banking am | cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:* |
| wso2 / open banking iam | cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:* |
| wso2 / traffic manager | cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:* |
| wso2 / universal gateway | cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:* |