Back to search
CVE-2019-19844
Published: Dec 18, 2019
Modified: Aug 5, 2024
PUBLISHED
Description
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://docs.djangoproject.com/en/dev/releases/security/
x_refsource_MISC
https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
x_refsource_CONFIRM
USN-4224-1
vendor-advisory
x_refsource_UBUNTU
DSA-4598
vendor-advisory
x_refsource_DEBIAN
20200108 [SECURITY] [DSA 4598-1] python-django security update
mailing-list
x_refsource_BUGTRAQ
https://security.netapp.com/advisory/ntap-20200110-0003/
x_refsource_CONFIRM
FEDORA-2020-adb4f0143a
vendor-advisory
x_refsource_FEDORA
GLSA-202004-17
vendor-advisory
x_refsource_GENTOO
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now