A potential XXE and XSS have been identified in multiple WSO2 Products.
The vendor's disclosure and fix for this vulnerability can be found here.
Neither me nor the vendor requested a CVE for these vulnerabilities.
This vulnerability requires:
- Convincing a legitimate WSO2 user to add a malicious repository
OR - Valid user credentials
More details and the exploitation process can be found in this PDF.