CVE-2019-19844 log

Severity High
Remote Yes
Type Insufficient validation
Django's password-reset form uses a case-insensitive query to retrieve accounts matching the email address requesting the password reset. Because this typically involves explicit or implicit case transformations, an attacker who knows the email address associated with a user account can craft an email address which is distinct from the address associated with that account, but which -- due to the behavior of Unicode case transformations -- ceases to be distinct after case transformation, or which will otherwise compare equal given database case-transformation or collation behavior. In such a situation, the attacker can receive a valid password-reset token for the user account.
Group Package Affected Fixed Severity Status Ticket
AVG-1081 python2-django 1.11.26-1 1.11.27-1 High Fixed
AVG-1080 python-django 2.2.6-1 2.2.9-1 High Fixed