django-allauth@0.33.0 vulnerabilities

Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.

latest version

65.7.0

latest non vulnerable version

first published

14 years ago

latest version published

17 days ago

licenses detected

MIT
[0,)

View django-allauth package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the django-allauth package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Vulnerability	Vulnerable Version
M Timing Attack django-allauth is an integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication. Affected versions of this package are vulnerable to Timing Attack in the `AuthenticationBackend._authenticate_by_email` method which allows attackers to determine the existence of user accounts by measuring response times during email/password authentication attempts. How to fix Timing Attack? Upgrade `django-allauth` to version 65.3.0 or higher.	[,65.3.0)
M Cross-site Scripting (XSS) django-allauth is an integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization, allowing an attacker to exploit this vulnerability when configuring the Facebook provider to use the `js_sdk` method, potentially compromising user sessions or stealing sensitive information. How to fix Cross-site Scripting (XSS)? Upgrade `django-allauth` to version 0.63.6 or higher.	[,0.63.6)
M Cross-site Request Forgery (CSRF) django-allauth is an integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) in the SAML login flow. `RelayState` was used to keep track of whether or not the login flow was IdP or SP initiated. As `RelayState` is a separate field, not part of the `SAMLResponse` payload, it was not signed, allowing the existence of this vulnerability. How to fix Cross-site Request Forgery (CSRF)? Upgrade `django-allauth` to version 0.63.3 or higher.	[,0.63.3)
H Timing Attack django-allauth is an integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication. Affected versions of this package are vulnerable to Timing Attack which allows an attacker to infer whether or not a given account exists based on the response time of an authentication attempt. This occurs even when account enumeration prevention is turned on. How to fix Timing Attack? Upgrade `django-allauth` to version 0.54.0 or higher.	[,0.54.0)
M Account Hijacking django-allauth is an integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication. Affected versions of this package are vulnerable to Account Hijacking. By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account. How to fix Account Hijacking? Upgrade `django-allauth` to version 0.41.0 or higher.	[,0.41.0)

Go back to all versions of this package