CVE-2019-13177

Name of the Vulnerable Software and Affected Versions django-rest-registration versions 0.2.* through 0.4.*

Description The issue arises from the misuse of the Django Signing API, leading to predictable signatures used in verification emails. This allows remote attackers to spoof the verification process, potentially taking over any Django user by resetting their password without receiving the reset password verification link. The vulnerability is considered high severity.

Recommendations For django-rest-registration versions 0.2.* through 0.4.*, upgrade to version 0.5.0 or higher to resolve the issue. As a temporary workaround, consider disabling the verification options by using the minimal configuration or temporarily disable just the reset password functionality by setting 'RESET PASSWORD VERIFICATION ENABLED' to False in the REST REGISTRATION settings. If 'RESET PASSWORD VERIFICATION ONE TIME USE' is set to True, it may mitigate the security issue in case of password reset, but upgrading to the newest version is still highly recommended.