CyberSec.Space Logo
Back to CVE Browser

CVE-2019-19844

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1290%
EPSS Percentile5.76th
PublishedDec 18, 2019
Last ModifiedNov 21, 2024

Vulnerability Description

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

Affected Platforms (CPE)

πŸ“¦
Djangoproject

Django

< 1.11.27
πŸ“¦
Djangoproject

Django

>= 2.2 and < 2.2.9
πŸ“¦
Djangoproject

Django

= 3.0
πŸ’»
Canonical

Ubuntu Linux

= 16.04
πŸ’»
Canonical

Ubuntu Linux

= 18.04
πŸ’»
Canonical

Ubuntu Linux

= 19.04
πŸ’»
Canonical

Ubuntu Linux

= 19.10

References & Advisories

πŸ”— http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html
πŸ”— https://docs.djangoproject.com/en/dev/releases/security/
πŸ”— https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/
πŸ”— https://seclists.org/bugtraq/2020/Jan/9
πŸ”— https://security.gentoo.org/glsa/202004-17
πŸ”— https://security.netapp.com/advisory/ntap-20200110-0003/
πŸ”— https://usn.ubuntu.com/4224-1/

Related Vulnerabilities

CVE-2014-047410.0

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before...

CVE-2019-131779.8

verification.py in django-rest-registration (aka Django REST Registration library) before 0.5.0 relies on a static string for sign...

CVE-2017-167649.8

An exploitable vulnerability exists in the YAML parsing functionality in the read_yaml_file method in io_utils.py in django_make_a...

CVE-2019-142349.8

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow k...