{"id":"CVE-2019-3787","details":"Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending “unknown.org” to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to a potentially fraudulent address. This would allow the attacker to gain complete control of the user's account.","modified":"2026-04-10T04:18:05.713907Z","published":"2019-06-19T23:15:10.127Z","references":[{"type":"ADVISORY","url":"https://www.cloudfoundry.org/blog/cve-2019-3787"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cloudfoundry/uaa-release","events":[{"introduced":"0"},{"fixed":"5f31da343f6ddde535e5b5aaa3df8d0a2feb1498"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"73.0.0"}]}}],"versions":["ci-upgrade","v10","v11","v12","v12.3","v14","v15","v16","v17","v18","v19","v2","v20","v21","v22","v23","v24","v25","v26","v27","v3","v31","v53","v55","v56","v57","v58","v59","v6","v60","v61.0","v62.0","v63.0","v64.0","v66.0","v67.0","v68.0","v69.0","v7","v70.0","v71.0","v72.0","v8","v9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-3787.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}