Security Advisory WSO2-2017-0210

Published: July 10, 2017

Severity: Medium

CVSS Score: 6.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L)


  • WSO2 App Manager 1.2.0
  • WSO2 Dashboard Server 2.0.0


A potential authorization bypassing vulnerability is detected in the email templates page in the management console of the above-mentioned WSO2 Servers.


Modifying email templates of identity management notifications such as password recovery, account recovery, etc., is an administrative functionality supported by the WSO2 server's management console. Only users with admin privileges should be allowed to do such operations. It has been found that non-admin users also can modify email templates provided that they can access the management console.


An attacker having the management console access with a valid non-admin user account can change email templates to mislead users and even perform Eavesdropper attacks to steal information like account recovery confirmations, and a limited set of user account information.


Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to

Code Product Version Patch
AppM WSO2 App Manager 1.2.0 WSO2-CARBON-PATCH-4.4.0-0851
DS WSO2 Dashboard Server 2.0.0 WSO2-CARBON-PATCH-4.4.0-0837


If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.