PT-2018-9268 · Django · Django-Anymail

Charlie Detar

Published

2018-03-13

Updated

2022-05-14

CVE-2018-1000089

CVSS v4.0

9.1

Critical

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions: django-anymail versions 0.2 through 1.3

Description: The issue is related to the WEBHOOK AUTHORIZATION setting value, which can be exploited by an attacker with access to error logs to fabricate email tracking events. This can happen if Django error reports are exposed, allowing an attacker to discover the ANYMAIL WEBHOOK setting and post fabricated or malicious Anymail tracking/inbound events to the application.

Recommendations: For django-anymail versions 0.2 through 1.3, update to version 1.4 or later to resolve the issue.

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

CVE-2018-1000089

GHSA-QH9X-MC42-VG4G

PYSEC-2018-46

Affected Products

Django-Anymail

PT-2018-9268 · Django · Django-Anymail

CVE-2018-1000089

Weakness Enumeration

Related Identifiers

Affected Products

References · 14