VDB
DEBIAN-CVE-2019-19844
DEBIAN-CVE-2019-19844
PUBLISHED
CVSS 9.800000190734863 CRITICAL
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
Risk Scores
CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | python-django | 0, 0, 0 |
| Debian:12 | python-django | 0, 0, 0 |
| Debian:13 | python-django | 0, 0, 0 |
| Debian:11 | python-django | 0, 0, 0 |
Exploit Intelligence
- PoC for CVE-2019-19844 ( https://www.djangoproject.com/weblog/2019/dec/18/security-releases/ ) (github-poc-repo)
- CVE-2019-19844 Docker Edition (github-poc-repo)
- CVE-2019-19844 Docker Edition (github-poc)
- PoC for CVE-2019-19844 ( https://www.djangoproject.com/weblog/2019/dec/18/security-releases/ ) (github-poc)
- PoC for CVE-2019-19844(https://www.djangoproject.com/weblog/2019/dec/18/security-releases/) (github-poc)
Timeline
- Dec 18, 2019 CVE Published
- Apr 28, 2026 CVE Updated