PT-2018-17658 · Anymail · Anymail

Scott Kitterman

·

Published

2018-02-03

·

Updated

2018-07-12

·

CVE-2018-6596

CVSS v4.0

9.3

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Anymail versions prior to 1.2.1
Description The issue allows remote attackers to post arbitrary e-mail tracking events due to a timing attack vulnerability on the WEBHOOK AUTHORIZATION secret.
Recommendations For versions prior to 1.2.1, update to version 1.2.1 or later to resolve the issue.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2018-6596
DSA-4107-1
GHSA-HXF9-7H4C-F5JV
PYSEC-2018-7

Affected Products

Anymail