Vulnerability Description
Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your Django error reports, an attacker could discover your ANYMAIL_WEBHOOK setting and use this to post fabricated or malicious Anymail tracking/inbound events to your app. This vulnerability appears to have been fixed in v1.4.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Django-Anymail Project | Django-Anymail | >= 0.2, <= 1.3 |
Related Weaknesses (CWE)
References
- https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034edPatchVendor Advisory
- https://github.com/anymail/django-anymail/releases/tag/v1.4Release Notes
- https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034edPatchVendor Advisory
- https://github.com/anymail/django-anymail/releases/tag/v1.4Release Notes
FAQ
What is CVE-2018-1000089?
CVE-2018-1000089 is a vulnerability with a CVSS score of 7.4 (HIGH). Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOK_AUTHORIZATION setting value that can result in An attacker with access to error logs could f...
How severe is CVE-2018-1000089?
CVE-2018-1000089 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1000089?
Check the references section above for vendor advisories and patch information. Affected products include: Django-Anymail Project Django-Anymail.