BIT-django-2024-45231

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/django/BIT-django-2024-45231.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-django-2024-45231

Aliases

Published

2024-10-19T07:08:43.877Z

Modified

2024-10-19T07:57:14.574315Z

Summary

[none]

Details

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).

References

Affected packages

Bitnami / django

Package

Name: django
Purl: pkg:bitnami/django

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

4.2.0

Fixed

4.2.16

Introduced

5.0.0

Fixed

5.0.9

Type: SEMVER
Events: Introduced

5.1.0

Last affected

5.1.0