CVE-2024-8010
Received Received - Intake
XML External Entity Injection in Publisher Component Enables Data Exposure

Publication date: 2026-04-16

Last updated on: 2026-04-23

Assigner: WSO2 LLC

Description
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2024-8010
EUVD
EUVD-2024-55549
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
wso2 api_manager From 3.2.0 (inc) to 3.2.0.397 (exc)
wso2 api_manager From 3.2.1 (inc) to 3.2.1.27 (exc)
wso2 api_manager From 4.0.0 (inc) to 4.0.0.310 (inc)
wso2 api_manager From 4.1.0 (inc) to 4.1.0.171 (exc)
wso2 api_manager From 4.2.0 (inc) to 4.2.0.127 (exc)
wso2 api_manager From 4.3.0 (inc) to 4.3.0.39 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs because the component accepts XML input through the publisher without disabling external entity resolution. This means that an attacker can submit a specially crafted XML payload that includes external entity references which are not properly escaped or blocked.

By exploiting this, the attacker can cause the system to process these external entities, potentially allowing them to read confidential files from the product's file system or access restricted HTTP resources via HTTP GET requests.

Impact Analysis

The impact of this vulnerability is that a malicious actor could gain unauthorized access to sensitive information stored on the system by reading confidential files.

Additionally, the attacker could access limited HTTP resources that should not be reachable, potentially exposing further sensitive data or internal services.

The CVSS score indicates a low to medium severity with limited impact on confidentiality and no impact on integrity or availability, but it still represents a risk of information disclosure.

Compliance Impact

This vulnerability allows a malicious actor to read confidential files from the product's file system or access limited HTTP resources. Such unauthorized access to confidential information can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls to protect sensitive data from unauthorized disclosure.

By exploiting this vulnerability, the confidentiality of sensitive data may be compromised, potentially resulting in non-compliance with standards that mandate data privacy and security.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-8010. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart