| Errata ID | 418 |
|---|---|
| Date | 2020-01-15 |
| Source package | python-django |
| Fixed in version | 1:1.10.7-2+deb9u7 |
| Description | This update addresses the following issue: * Django allows account takeover: A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. One mitigation in the new releases is to send password reset tokens only to the registered user email address. (CVE-2019-19844) |
| Additional notes | |
| CVE ID | CVE-2019-19844 |
| UCS Bug number | #50693 |
