Django uses an insecure password reset mechanism. A remote attacker is able to inject into the password reset form, a malicious email address containing a case transformation of Unicode characters that is equal to the existing user’s email address, which will result in the application sending the password reset token to the attacker for the matched user account.
packetstormsecurity.com/files/155872/Django-Account-Hijack.html
docs.djangoproject.com/en/dev/releases/security/
groups.google.com/forum/#!topic/django-announce/3oaB2rVH3a0
seclists.org/bugtraq/2020/Jan/9
security.netapp.com/advisory/ntap-20200110-0003/
usn.ubuntu.com/4224-1/
www.debian.org/security/2020/dsa-4598
www.djangoproject.com/weblog/2019/dec/18/security-releases/