Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2019-19844

Опубликовано: 18 дек. 2019
Источник: debian
EPSS Средний

Описание

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

Пакеты

ПакетСтатусВерсия исправленияРелизТип
python-djangofixed2:2.2.9-1package

Примечания

  • https://www.djangoproject.com/weblog/2019/dec/18/security-releases/

  • https://github.com/django/django/commit/5b1fbcef7a8bec991ebe7b2a18b5d5a95d72cb70 (master)

  • https://github.com/django/django/commit/302a4ff1e8b1c798aab97673909c7a3dfda42c26 (3.0.x branch)

  • https://github.com/django/django/commit/4d334bea06cac63dc1272abcec545b85136cca0e (2.2.x branch)

  • https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2 (1.11.x branch)

EPSS

Процентиль: 94%
0.12612
Средний

Связанные уязвимости

ubuntu логотип

CVE-2019-19844

CVSS3: 9.8
ubuntu
больше 5 лет назад

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

redhat логотип

CVE-2019-19844

CVSS3: 9.8
redhat
больше 5 лет назад

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

nvd логотип

CVE-2019-19844

CVSS3: 9.8
nvd
больше 5 лет назад

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)

github логотип

GHSA-vfq6-hq5r-27r6

CVSS3: 9.8
github
больше 5 лет назад

Django Potential account hijack via password reset form

fstec логотип

BDU:2020-01459

CVSS3: 7.5
fstec
больше 5 лет назад

Уязвимость фреймворка для веб-приложений Django, связанная с ошибкой в работе механизма восстановления паролей, позволяющая нарушителю оказать воздействие на целостность данных

EPSS

Процентиль: 94%
0.12612
Средний