Hakan Bayir

**Name of the Vulnerable Software and Affected Versions** WSO2 API Manager versions 2.6.0 through 4.0.0 WSO2 IS as Key Manager versions 5.7.0 through 5.10.0 WSO2 Identity Server versions 5.7.0 through 5.11.0 **Description** The issue allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests. This is due to an XML External Entity (XXE) vulnerability in the file-based service provider creation feature of the Management Console. **Recommendations** For WSO2 API Manager versions 2.6.0 through 4.0.0, update to a version that includes a fix for this issue. For WSO2 IS as Key Manager versions 5.7.0 through 5.10.0, update to a version that includes a fix for this issue. For WSO2 Identity Server versions 5.7.0 through 5.11.0, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the Management Console to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine OpManager version 12.3 before 123219 **Description** The issue is related to stored XSS. **Recommendations** For Zoho ManageEngine OpManager version 12.3 before 123219, update to a version that includes the fix, which is version 123219 or later.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine OpManager version 12.3 before 123219 **Description** The issue is related to a Self XSS vulnerability. **Recommendations** For Zoho ManageEngine OpManager version 12.3 before 123219, update to a version that includes the fix, which is version 123219 or later.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine OpManager versions prior to 12.3 build 123214 **Description** The issue allows for Unrestricted Arbitrary File Upload. **Recommendations** For versions prior to 12.3 build 123214, update to version 12.3 build 123214 or later to resolve the issue.