CVE-2019-19844
CRITICAL
9.8
CVSS Severity Score
Vulnerability Description
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
Affected Platforms (CPE)
📦
Djangoproject
Django
< 1.11.27📦
Djangoproject
Django
>= 2.2 and < 2.2.9📦
Djangoproject
Django
= 3.0💻
Canonical
Ubuntu Linux
= 16.04💻
Canonical
Ubuntu Linux
= 18.04💻
Canonical
Ubuntu Linux
= 19.04💻
Canonical