Phithon Gong

**Name of the Vulnerable Software and Affected Versions** Django versions 2.1 through 2.1.1 Django versions prior to 2.1.2 **Description** An issue allows unprivileged users to read the password hashes of arbitrary accounts. The read-only password widget used by the Django Admin to display an obfuscated password hash can be bypassed if a user has only the "view" permission, resulting in the display of the entire password hash. This may result in a vulnerability for sites with legacy user accounts using insecure hashes. **Recommendations** For Django versions 2.1 through 2.1.1, update to version 2.1.2 or later to resolve the issue. For Django versions prior to 2.1.2, update to version 2.1.2 or later to resolve the issue.