Information Disclosure

django-anymail is vulnerable to information disclosure. When an error occurs, the value of the WEBHOOKAUTHORIZATION setting is printed in the Django error reports. This may allow anyone with access to the logs to discover the webhook shared secret and send inbound/tracking events to your...

DEBIAN-CVE-2018-1000089

Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOKAUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your...

PYSEC-2018-46

Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOKAUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your...

UBUNTU-CVE-2018-1000089

Anymail django-anymail version version 0.2 through 1.3 contains a CWE-532, CWE-209 vulnerability in WEBHOOKAUTHORIZATION setting value that can result in An attacker with access to error logs could fabricate email tracking events. This attack appear to be exploitable via If you have exposed your...

Debian DSA-4107-1 : django-anymail - security update

It was discovered that the webhook validation of Anymail, a Django email backends for multiple ESPs, is prone to a timing attack. A remote attacker can take advantage of this flaw to obtain a WEBHOOKAUTHORIZATION secret and post arbitrary email tracking events. C Tenable Network Security, Inc. Th...

PYSEC-2018-7

webhooks/base.py in Anymail aka django-anymail before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOKAUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events...

CVE-2018-6596

webhooks/base.py in Anymail aka django-anymail before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOKAUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events...

DEBIAN-CVE-2018-6596

webhooks/base.py in Anymail aka django-anymail before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOKAUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events...

UBUNTU-CVE-2018-6596

webhooks/base.py in Anymail aka django-anymail before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOKAUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events...

GitLab: SSRF vulnerability in gitlab.com webhook

1、 Login to your GitLab account and create a new project, then go to--https://gitlab.com/username/project/settings/integrations 2、 You can add url to ssrf.following are the steps to reproduce: If you enter http://127.0.0.1:80/haha.txt as url,we will get --Hook executed successfully but returned...

See how I integrated the use of 4 vulnerability GitHub Enterprise remote code execution-vulnerability warning-the black bar safety net

! Hello everyone, since the last vulnerability disclosure has been there for six months, in this article, I will show you how to through 4 vulnerability is the perfect realization of GitHub Enterprise RCE, the RCE to achieve a method and a server-side request forgery technology（SSRF）related,...

From the SSRF implementation chain to the RCE, see How do I use the GitHub Enterprise version of the four vulnerability-vulnerability warning-the black bar safety net

In the past few months, I have been seriously preparing for the 2017 America the Black Hat hacker conference and DEF CON 25 lecture content, and become a Black Hat and DEFCON speaker has always been in my life a very important goal. In addition, this is also my first time in such a formal occasio...

Mixmax: Design issue with webhook (several) notifications on mixmax.com

Hi team, I noticed a design problem involving successive notifications about an incorrect webhook set at https://app.mixmax.com/dashboard/settings/rules I set an incorrect webhook for testing on this page and in a few hours I received more than 10 notifications. This can cause a certain...

XSS on Delete Webhook

It was possible for users with JIRA administrator rights to perform an XSS attack through convincing another user, potentially a user with system administrators rights, to delete a specific webhook...

XSS on Delete Webhook

It was possible for users with JIRA administrator rights to perform an XSS attack through convincing another user, potentially a user with system administrators rights, to delete a specific webhook...

XSS on Delete Webhook

It was possible for users with JIRA administrator rights to perform an XSS attack through convincing another user, potentially a user with system administrators rights, to delete a specific webhook...

Trello: SSRF in account webhook (through API)

It was possible to create a webhook that pointed to the EC2 metadata address, http://169.254.169.254. While no data from that address would be returned, the webhook would be created successfully with a 200 status, indicating that proxy used by the webhook requests wasn't blocking access to that...

Moneybird: Webhook allows sending payload using insecure HTTP protocol

Researcher noted that a non-secure HTTP endpoint is allowed in webhooks. We have decided to allow non-secure webhooks because too many API clients don't have HTTPS endpoints to receive our webhooks. We have added warnings to inform our clients what the security risks are, but cannot require HTTPS...

Trello: Payments informations are sent to the webhook when a team changes its visibility

If an attacker installed a webhook on an team, and the team subsequently changed it's visibility from private to public, the payload sent to the webhook to notify it of the visibility change could potentially have disclosed some information that the attacker shouldn't have had access to. For paid...

Slack: User impersonation is possible with incoming webhooks

Using the incoming webhook service it is possible to send messages to the team from an arbitrary username. A malicious user could modify the image of the webhook service to match an existing user and then send a message with the username of an existing user. Other users would not be able to tell...