CVE-2018-1000089
https://notcve.org/view.php?id=CVE-2018-1000089
Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed in v1.4. Anymail django-anymail, de la versión 0.2 a la 1.3, contiene una vulnerabilidad de CWE-532 y CWE-209 en el valor de opción WEBHOOK_AUTHORIZATION que puede resultar en que un atacante con acceso a los registros de error fabrique eventos de rastreo de email. Si los informes de error de Django están expuestos, un atacante podría descubrir su opción ANYMAIL_WEBHOOK y emplearlo para publicar eventos fabricados o maliciosos tracking/inbound de Anymail a una app. • https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef https://github.com/anymail/django-anymail/releases/tag/v1.4 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2018-6596
https://notcve.org/view.php?id=CVE-2018-6596
webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events. webhooks/base.py en Anymail (también conocido como django-anymail), en versiones anteriores a la 1.2.1, es propenso a una vulnerabilidad de ataque de sincronización en el secreto WEBHOOK_AUTHORIZATION, que permite que los atacantes remotos publiquen eventos de seguimiento de email. • https://bugs.debian.org/889450 https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b https://github.com/anymail/django-anymail/commit/db586ede1fbb41dce21310ea28ae15a1cf1286c5 https://github.com/anymail/django-anymail/releases/tag/v1.2.1 https://github.com/anymail/django-anymail/releases/tag/v1.3 https://www.debian.org/security/2018/dsa-4107 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •