rpm package
opensuse/python-django-allauth&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/python-django-allauth&distro=openSUSE%20Tumbleweed
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-65431 | — | < 65.16.1-2.1 | 65.16.1-2.1 | Dec 15, 2025 | An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub | ||
| CVE-2025-65430 | — | < 65.16.1-2.1 | 65.16.1-2.1 | Dec 15, 2025 | An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected. | ||
| CVE-2019-19844 | Cri | 9.8 | < 0.63.3-1.1 | 0.63.3-1.1 | Dec 18, 2019 | Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token fo |
- CVE-2025-65431Dec 15, 2025affected < 65.16.1-2.1fixed 65.16.1-2.1
An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub
- CVE-2025-65430Dec 15, 2025affected < 65.16.1-2.1fixed 65.16.1-2.1
An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.
- affected < 0.63.3-1.1fixed 0.63.3-1.1
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token fo