PT-2019-4872 · Django Software Foundation+2 · Django+2

Simon Charette

Published

2019-12-15

Updated

2026-01-03

CVE-2019-19844

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Django versions prior to 1.11.27 Django versions 2.x prior to 2.2.9 Django versions 3.x prior to 3.0.1

Description The issue allows account takeover by sending a password reset token to an attacker for a matched user account. This occurs when a suitably crafted email address, equal to an existing user's email address after case transformation of Unicode characters, is used. The new releases mitigate this by sending password reset tokens only to the registered user email address.

Recommendations For Django versions prior to 1.11.27, update to version 1.11.27 or later. For Django versions 2.x prior to 2.2.9, update to version 2.2.9 or later. For Django versions 3.x prior to 3.0.1, update to version 3.0.1 or later. As a temporary workaround, consider restricting password reset functionality to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-640

Related Identifiers

ALT-PU-2020-1708

ALT-PU-2021-1636

BDU:2020-01459

CVE-2019-19844

DLA-2042-1

DLA-2233-1

DSA-4598-1

GHSA-VFQ6-HQ5R-27R6

OPENSUSE-SU-2024:11205-1

OPENSUSE-SU-2024:11224-1

OPENSUSE-SU-2024:13887-1

OPENSUSE-SU-2024:14065-1

OPENSUSE-SU-2024:14208-1

OPENSUSE-SU-2026:10005-1

PYSEC-2019-16

SUSE-RU-2020:2072-1

SUSE-RU-2020:2161-1

SUSE-SU-2020:3309-1

USN-4224-1

USN-6722-1

Affected Products

Alt Linux

Django

Ubuntu

PT-2019-4872 · Django Software Foundation+2 · Django+2

CVE-2019-19844

Weakness Enumeration

Related Identifiers

Affected Products

References · 317