{"id":"CVE-2019-19844","details":"Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)","aliases":["GHSA-vfq6-hq5r-27r6","PYSEC-2019-16"],"modified":"2026-04-10T04:16:55.563083Z","published":"2019-12-18T19:15:11.780Z","related":["SUSE-RU-2020:2072-1","SUSE-RU-2020:2161-1","SUSE-SU-2020:3309-1","openSUSE-SU-2024:11205-1","openSUSE-SU-2024:11224-1","openSUSE-SU-2024:13887-1","openSUSE-SU-2024:14065-1","openSUSE-SU-2024:14208-1","openSUSE-SU-2026:10005-1"],"references":[{"type":"WEB","url":"http://packetstormsecurity.com/files/155872/Django-Account-Hijack.html"},{"type":"WEB","url":"https://groups.google.com/forum/#%21topic/django-announce/3oaB2rVH3a0"},{"type":"WEB","url":"https://seclists.org/bugtraq/2020/Jan/9"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCM2DPUI7TOZWN4A6JFQFUVQ2XGE7GUD/"},{"type":"ADVISORY","url":"https://docs.djangoproject.com/en/dev/releases/security/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202004-17"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200110-0003/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4224-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4598"},{"type":"ADVISORY","url":"https://www.djangoproject.com/weblog/2019/dec/18/security-releases/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"0"},{"fixed":"358973a12eb3105ba084a2d594428a19223b8582"},{"introduced":"2a62cdcfec85938f40abb2e9e6a9ff497e02afe8"},{"fixed":"c494d90c195a739a7298b073eaa6ed987c2fd0bc"},{"introduced":"0"},{"last_affected":"2a04e24d2dfc8e60a66e4369d970913cb2112d91"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.11.27"},{"introduced":"2.2"},{"fixed":"2.2.9"},{"introduced":"0"},{"last_affected":"3.0"}]}}],"versions":["1.0","1.1","1.11","1.11.1","1.11.10","1.11.11","1.11.12","1.11.13","1.11.14","1.11.15","1.11.16","1.11.17","1.11.18","1.11.19","1.11.2","1.11.20","1.11.21","1.11.22","1.11.23","1.11.24","1.11.25","1.11.26","1.11.3","1.11.4","1.11.5","1.11.6","1.11.7","1.11.8","1.11.9","1.11a1","1.11b1","1.11rc1","1.2","1.2.1","1.3","1.4","1.7a2","2.2","2.2.1","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","2.2.8","2.2a1","2.2b1","2.2rc1","3.0","3.0.1","3.0.10","3.0.11","3.0.12","3.0.13","3.0.14","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.0.7","3.0.8","3.0.9","3.0a1","3.0b1","3.0rc1","stable/3.0.x"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"19.04"}]},{"events":[{"introduced":"0"},{"last_affected":"19.10"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19844.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}