Security Advisory WSO2-2017-0210

Published: July 10, 2017

Severity: Medium

CVSS Score: 6.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L)


AFFECTED PRODUCTS

  • WSO2 App Manager 1.2.0
  • WSO2 Dashboard Server 2.0.0

OVERVIEW

A potential authorization bypassing vulnerability is detected in the email templates page in the management console of the above-mentioned WSO2 Servers.

DESCRIPTION

Modifying email templates of identity management notifications such as password recovery, account recovery, etc., is an administrative functionality supported by the WSO2 server's management console. Only users with admin privileges should be allowed to do such operations. It has been found that non-admin users also can modify email templates provided that they can access the management console.

IMPACT

An attacker having the management console access with a valid non-admin user account can change email templates to mislead users and even perform Eavesdropper attacks to steal information like account recovery confirmations, and a limited set of user account information.

SOLUTION

Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.

Code Product Version Patch
AppM WSO2 App Manager 1.2.0 WSO2-CARBON-PATCH-4.4.0-0851
DS WSO2 Dashboard Server 2.0.0 WSO2-CARBON-PATCH-4.4.0-0837

Info

If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.