py-django: Potential account hijack via password reset form (CVE-2019-19844)
By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account.
Fixed In Version:
py-django 3.0.1, 2.2.9, and 1.11.27.
References:
- https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
- https://www.openwall.com/lists/oss-security/2019/12/18/1