PT-2018-9268 · Django · Django-Anymail

Charlie Detar

Publicado

2018-03-13

Atualizado

2022-05-14

CVE-2018-1000089

CVSS v4.0

9.1

Crítica

Vetor

AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions: django-anymail versions 0.2 through 1.3

Description: The issue is related to the WEBHOOK AUTHORIZATION setting value, which can be exploited by an attacker with access to error logs to fabricate email tracking events. This can happen if Django error reports are exposed, allowing an attacker to discover the ANYMAIL WEBHOOK setting and post fabricated or malicious Anymail tracking/inbound events to the application.

Recommendations: For django-anymail versions 0.2 through 1.3, update to version 1.4 or later to resolve the issue.

Correção

Insertion into Log File

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-532

Identificadores relacionados

CVE-2018-1000089

GHSA-QH9X-MC42-VG4G

PYSEC-2018-46

Produtos afetados

Django-Anymail

PT-2018-9268 · Django · Django-Anymail

CVE-2018-1000089

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 14