CVE-2024-45231

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:5.1:*:*:*:*:*:*:*

History

30 Oct 2024, 17:35

Type Values Removed Values Added
CWE CWE-203

19 Oct 2024, 00:56

Type Values Removed Values Added
CPE cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:5.1:*:*:*:*:*:*:*
First Time Djangoproject
Djangoproject django
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3
CWE NVD-CWE-noinfo
References () https://docs.djangoproject.com/en/dev/releases/security/ - () https://docs.djangoproject.com/en/dev/releases/security/ - Vendor Advisory
References () https://groups.google.com/forum/#%21forum/django-announce - () https://groups.google.com/forum/#%21forum/django-announce - Permissions Required
References () https://www.djangoproject.com/weblog/2024/sep/03/security-releases/ - () https://www.djangoproject.com/weblog/2024/sep/03/security-releases/ - Vendor Advisory

10 Oct 2024, 12:56

Type Values Removed Values Added
Summary
  • (es) Se descubrió un problema en Django v5.1.1, v5.0.9 y v4.2.16. La clase django.contrib.auth.forms.PasswordResetForm, cuando se utiliza en una vista que implementa flujos de restablecimiento de contraseña, permite a atacantes remotos enumerar las direcciones de correo electrónico de los usuarios mediante el envío de solicitudes de restablecimiento de contraseña y la observación del resultado (solo cuando el envío de correo electrónico falla constantemente).

08 Oct 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-08 16:15

Updated : 2024-10-30 17:35


NVD link : CVE-2024-45231

Mitre link : CVE-2024-45231

CVE.ORG link : CVE-2024-45231


JSON object : View

Products Affected

djangoproject

  • django
CWE
NVD-CWE-noinfo CWE-203

Observable Discrepancy