An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
History

Wed, 30 Oct 2024 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-203
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 19 Oct 2024 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Djangoproject
Djangoproject django
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:5.1:*:*:*:*:*:*:*
Vendors & Products Djangoproject
Djangoproject django
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


Tue, 08 Oct 2024 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 08 Oct 2024 15:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in Python's Django package. This flaw allows an attacker to enumerate users' emails by issuing password reset requests. An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
References

Thu, 26 Sep 2024 02:30:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in Python's Django package. This flaw allows an attacker to enumerate users' emails by issuing password reset requests.

Tue, 24 Sep 2024 23:30:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title python-django: Potential user email enumeration via response status on password reset
References
Metrics threat_severity

None

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Low


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-10-08T00:00:00

Updated: 2024-10-30T16:37:12.474Z

Reserved: 2024-08-24T00:00:00

Link: CVE-2024-45231

cve-icon Vulnrichment

Updated: 2024-10-08T20:06:24.588Z

cve-icon NVD

Status : Modified

Published: 2024-10-08T16:15:11.997

Modified: 2024-10-30T17:35:10.147

Link: CVE-2024-45231

cve-icon Redhat

Severity : Low

Publid Date: 2024-09-03T00:00:00Z

Links: CVE-2024-45231 - Bugzilla