Homepage
About Snyk

Account Hijacking Affecting django-allauth package, versions [,0.41.0)

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Mature
    EPSS
    22.52% (97th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-DJANGOALLAUTH-564371
  • published 18 Dec 2019
  • disclosed 18 Dec 2019
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 18 Dec 2019

CVE-2019-19844 Open this link in a new tab
CWE-345 Open this link in a new tab

How to fix?

Upgrade django-allauth to version 0.41.0 or higher.

Overview

django-allauth is an integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.

Affected versions of this package are vulnerable to Account Hijacking. By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5.9 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

NVD

9.8 critical
Expand this section

Red Hat

9.8 critical