django-anymail is vulnerable to information disclosure. When an error occurs, the value of the WEBHOOK_AUTHORIZATION
setting is printed in the Django error reports. This may allow anyone with access to the logs to discover the webhook shared secret and send inbound/tracking events to your application. As well as upgrading this dependency, if the event tracking or inbound webhooks feature of Anymail is used, the WEBHOOK_AUTHORIZATION
variable should be changed to WEBHOOK_SECRET
in the settings.py.
CPE | Name | Operator | Version |
---|---|---|---|
django-anymail | le | 1.3 |