CVE-2019-19844
Description
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing users email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
13.973
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2019-19844 are fixed in Python-django 1.11.27 | Windows |
| Vulnerabilities CVE-2019-19844 are fixed in Python-django 2.2.9 | Windows |
| Vulnerabilities CVE-2019-19844 are fixed in Python-django 3.0.1 | Windows |
| High-level Python web development framework (USN-4224-1) python-django_1.8.7-1ubuntu5.11_all.deb | Linux |
| High-level Python web development framework (USN-4224-1) python-django_1.11.20-1ubuntu0.3_all.deb | Linux |
| High-level Python web development framework (USN-4224-1) python-django_1.11.22-1ubuntu1.1_all.deb | Linux |
| High-level Python web development framework (USN-4224-1) python3-django_1.8.7-1ubuntu5.11_all.deb | Linux |
| High-level Python web development framework (USN-4224-1) python3-django_1.11.20-1ubuntu0.3_all.deb | Linux |
| python-django security update(DSA-4598-1) python-django_1.10.7-2+deb9u7_all.deb | Linux |
| python-django security update(DSA-4598-1) python-django_1.11.27-1~deb10u1_all.deb | Linux |
| Vulnerabilities CVE-2019-19844 are fixed in Python-django for linux 1.11.27 | Linux |
| Vulnerabilities CVE-2019-19844 are fixed in Python-django for linux 2.2.9 | Linux |
| Vulnerabilities CVE-2019-19844 are fixed in Python-django for linux 3.0.1 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234