Django before 1.11.27 Weak Password Recovery Mechanism for Forgotten Password Vulnerability


Django before 1.11.27 suffers from weak password recovery mechanism for forgotten password vulnerability


The information has been provided by Salvatore Bonaccorso

The original article can be found at:


Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user’s email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)


Vulnerable Systems:

Django before 1.11.27

Django 2.x before 2.2.9

Django 3.x before 3.0.1


CVE Information:



Disclosure Timeline:
Published Date:12/18/2019

Categories: FeaturedNews