CVE-2021-21416

Name of the Vulnerable Software and Affected Versions django-registration versions prior to 3.1.2

Description The django-registration package has an issue where the base user-account registration view does not properly apply filters to sensitive data. This can result in sensitive data being included in error reports rather than being removed automatically by Django. For this to occur, a site must be using django-registration prior to 3.1.2, have detailed error reports enabled, and experience a server-side error during an account registration attempt. Under these conditions, recipients of the detailed error report may see all submitted data, including the user's proposed credentials, such as a password.

Recommendations For django-registration versions prior to 3.1.2, update to version 3.1.2 or later, which properly applies Django's sensitive post parameters() decorator to the base user-registration view. As a temporary workaround, users who cannot upgrade quickly can apply the django.views.decorators.debug.sensitive post parameters() decorator to their own registration views by using Django's method decorator() helper on the dispatch() method of the appropriate RegistrationView class.