Simon Charette

**Name of the Vulnerable Software and Affected Versions** Django versions 1.11 through 1.11.27 Django versions 2.2 through 2.2.9 Django versions 3.0 through 3.0.2 **Description** The issue allows SQL Injection if untrusted data is used as a StringAgg delimiter, potentially enabling an attacker to break escaping and inject malicious SQL. This could allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. **Recommendations** For Django versions 1.11 through 1.11.27, update to version 1.11.28 or later. For Django versions 2.2 through 2.2.9, update to version 2.2.10 or later. For Django versions 3.0 through 3.0.2, update to version 3.0.3 or later. As a temporary workaround, consider restricting the use of the `contrib.postgres.aggregates.StringAgg` instance to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Django versions prior to 1.11.27 Django versions 2.x prior to 2.2.9 Django versions 3.x prior to 3.0.1 **Description** The issue allows account takeover by sending a password reset token to an attacker for a matched user account. This occurs when a suitably crafted email address, equal to an existing user's email address after case transformation of Unicode characters, is used. The new releases mitigate this by sending password reset tokens only to the registered user email address. **Recommendations** For Django versions prior to 1.11.27, update to version 1.11.27 or later. For Django versions 2.x prior to 2.2.9, update to version 2.2.9 or later. For Django versions 3.x prior to 3.0.1, update to version 3.0.1 or later. As a temporary workaround, consider restricting password reset functionality to minimize the risk of exploitation.