MEDIUM · CVSS 5.3
CVE-2024-45231 — Django reset-password user enumeration
Django's password-reset view returned different responses for valid vs invalid email addresses, enabling user enumeration.
Affects
- Django 4.2 < 4.2.16
- Django 5.0 < 5.0.9
What an attacker does
Attacker probes the reset-password endpoint with a list of emails; timing or response-content differences reveal which accounts exist.
How to detect
`pip show django`.
How to fix
Upgrade Django. Additionally: always return the same response regardless of email existence.
How Securie catches it
Securie audits auth-flow endpoints for user-enumeration oracles.