CVE-2024-45231 — Vulnetix

CVE-2024-45231 PUBLISHED

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).

EPSS 0.23% · 46.6th percentile

Risk Scores

EPSS Score

0.23%

46.6th percentile

Affected Products

Vendor	Product	Versions
Bitnami	django	4.2.0, 5.0.0, 5.1.0
Bitnami	django	4.2.0, 5.0.0, 5.1.0

Exploit Intelligence

https://docs.djangoproject.com/en/dev/releases/security/ (circl)
https://groups.google.com/forum/#%21forum/django-announce (circl)
https://www.djangoproject.com/weblog/2024/sep/03/security-releases/ (circl)

Timeline

Sep 3, 2024 CVE Published
Oct 9, 2024 EPSS Score
Oct 14, 2024 Coalition ESS Score
Oct 19, 2024 Coalition ESS Score
Oct 28, 2024 EPSS Score
Oct 30, 2024 Coalition ESS Score
Nov 16, 2024 EPSS Score
Dec 6, 2024 EPSS Score
Dec 24, 2024 EPSS Score
Jan 12, 2025 EPSS Score
Jan 27, 2025 Coalition ESS Score
Jan 31, 2025 EPSS Score

References

https://docs.djangoproject.com/en/dev/releases/security/ url
https://groups.google.com/forum/#%21forum/django-announce url
https://www.djangoproject.com/weblog/2024/sep/03/security-releases/ url
https://nvd.nist.gov/vuln/detail/CVE-2024-45231 url

Open in Interactive Console →