View all vulnerabilities

CVE-2024-45231

Django allows enumeration of user e-mail addresses

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading
Vulnerability Details
Score
3.6
Score Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Versions
django >= 5.1 < 5.1.1; django >= 5.0 < 5.0.9; django < 4.2.16
Severity
Low
Ecosystem
Python
Publish Date
October 8, 2024
Modified Date
October 30, 2024