PT-2019-4872 · Django Software Foundation+2 · Django+2

Simon Charette

Publicado

2019-12-15

Atualizado

2026-01-03

CVE-2019-19844

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Django versions prior to 1.11.27 Django versions 2.x prior to 2.2.9 Django versions 3.x prior to 3.0.1

Description The issue allows account takeover by sending a password reset token to an attacker for a matched user account. This occurs when a suitably crafted email address, equal to an existing user's email address after case transformation of Unicode characters, is used. The new releases mitigate this by sending password reset tokens only to the registered user email address.

Recommendations For Django versions prior to 1.11.27, update to version 1.11.27 or later. For Django versions 2.x prior to 2.2.9, update to version 2.2.9 or later. For Django versions 3.x prior to 3.0.1, update to version 3.0.1 or later. As a temporary workaround, consider restricting password reset functionality to minimize the risk of exploitation.

Exploit

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-640

Identificadores relacionados

ALT-PU-2020-1708

ALT-PU-2021-1636

BDU:2020-01459

CVE-2019-19844

DLA-2042-1

DLA-2233-1

DSA-4598-1

GHSA-VFQ6-HQ5R-27R6

OPENSUSE-SU-2024:11205-1

OPENSUSE-SU-2024:11224-1

OPENSUSE-SU-2024:13887-1

OPENSUSE-SU-2024:14065-1

OPENSUSE-SU-2024:14208-1

OPENSUSE-SU-2026:10005-1

PYSEC-2019-16

SUSE-RU-2020:2072-1

SUSE-RU-2020:2161-1

SUSE-SU-2020:3309-1

USN-4224-1

USN-6722-1

Produtos afetados

Alt Linux

Django

Ubuntu

PT-2019-4872 · Django Software Foundation+2 · Django+2

CVE-2019-19844

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 317