Security advisory: Vulnerability in password reset (master branch only)

Posted by Markus Holtermann on November 21, 2016

Today, Florian Apolloner, a member of the Django security team, discovered and fixed a critical security issue in the new PasswordResetConfirmView that was added to the Django master branch on July 16th, 2016. The view didn't validate the password reset token on POST requests and therefore allowed anyone to reset passwords for any user.

This issue doesn't affect any released versions of Django. Per our security policy, security issues in master, but not present in any released version, are disclosed and fixed in public without pre-notification.

The issue demonstrates the complexity of class-based generic views, and the Django team advises caution when using them for security-sensitive functionality. We'll consider removing the class-based authentication views that are in the master branch, planned for Django 1.11. The discussion for this will take place publicly on the django-developers mailing list.

News & Events

Security advisory: Vulnerability in password reset (master branch only)

Additional Information

Support Django!

Upcoming Events

Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

RSS Feeds

Django Links

Learn More

Get Involved

Get Help

Follow Us

Support Us