{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52911?format=json","vulnerability_id":"VCID-cjdq-8bzy-8uft","summary":"Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion)\nThe Management Console in WSO2 API Manager allows XML External Entity injection (XXE) attacks.","aliases":[{"alias":"CVE-2020-24589"}],"fixed_packages":[],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/61435?format=json","purl":"pkg:maven/org.wso2.am.microgw/org.wso2.micro.gateway.core@2.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ubv-cmf7-3ffv"},{"vulnerability":"VCID-afh6-1arv-wkbk"},{"vulnerability":"VCID-cjdq-8bzy-8uft"},{"vulnerability":"VCID-cs6r-dpvb-r7bw"},{"vulnerability":"VCID-dwym-rb1b-8fd5"},{"vulnerability":"VCID-mpxj-zk4u-mkdq"},{"vulnerability":"VCID-snaq-p5fe-qfeu"},{"vulnerability":"VCID-sp1k-1yzm-d7au"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.wso2.am.microgw/org.wso2.micro.gateway.core@2.2.0"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-24589","reference_id":"","reference_type":"","scores":[{"value":"0.90156","scoring_system":"epss","scoring_elements":"0.99605","published_at":"2026-06-04T12:55:00Z"},{"value":"0.90156","scoring_system":"epss","scoring_elements":"0.99606","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-24589"},{"reference_url":"https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0742","reference_id":"","reference_type":"","scores":[],"url":"https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0742"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-24589","reference_id":"CVE-2020-24589","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-24589"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":776,"name":"Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","description":"The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":null,"exploitability":"2.0","weighted_severity":"0.8","risk_score":1.6,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cjdq-8bzy-8uft"}