PYSEC-2018-4

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2018-4.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2018-4

Aliases

CVE-2018-6188
GHSA-rf4j-j272-fj86

Published

2018-02-05T03:29:00Z

Modified

2023-11-08T04:00:21.087397Z

Summary

[none]

Details

django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirmloginallowed() method, as demonstrated by discovering whether a user account is inactive.

References

https://www.djangoproject.com/weblog/2018/feb/01/security-releases/
http://www.securitytracker.com/id/1040422
https://usn.ubuntu.com/3559-1/
https://github.com/advisories/GHSA-rf4j-j272-fj86

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0

Fixed

2.0.2

Affected versions

2.*

2.0

2.0.1