CVE-2024-45231

Medium

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view…

mitre·NVD-CWE-noinfo·Published 2024-10-08

CVSS

5.3

EPSS

0.01

KEV

Exploits

cve.orgen

344 chars

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).

NVDen

344 chars

OSV.deven

344 chars

GHSAen

344 chars

NVDes

458 chars

Se descubrió un problema en Django v5.1.1, v5.0.9 y v4.2.16. La clase django.contrib.auth.forms.PasswordResetForm, cuando se utiliza en una vista que implementa flujos de restablecimiento de contraseña, permite a atacantes remotos enumerar las direcciones de correo electrónico de los usuarios mediante el envío de solicitudes de restablecimiento de contraseña y la observación del resultado (solo cuando el envío de correo electrónico falla constantemente).

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
3.1	Primary	cve.org	5.3	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3.1	Primary	NVD	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3.1	Primary	cve.org	5.3	—	—	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3.1	Secondary	NVD	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3.1	Secondary	GHSA	3.7	—	—	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0	Secondary	GHSA	6.3	—	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N