3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-45231

GHSA ID

GHSA-rrqc-c2jx-6jgv

EPSS Score

0.39107%

CWE

CWE-203

Published

10/8/2024

Updated

10/30/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-45231

CVE-2024-45231: Django allows enumeration of user e-mail addresses

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-45231

CVE-2024-45231:

3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-45231

GHSA ID

GHSA-rrqc-c2jx-6jgv

EPSS Score

0.39107%

CWE

CWE-203

Published

10/8/2024

Updated

10/30/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Django	pip	>= 5.1, < 5.1.1	5.1.1
Django	pip	>= 5.0, < 5.0.9	5.0.9
Django	pip	< 4.2.16	4.2.16

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unhandled exceptions in PasswordResetForm's send_mail method. The commit diff shows a try-except block was added to catch email sending failures and log them instead of propagating exceptions. Prior to this fix, failed email delivery (e.g., due to backend issues) would result in server errors, creating an observable discrepancy between valid and invalid email submissions. This allowed attackers to infer registered emails based on HTTP response status codes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-45231: Django allows enumeration of user e-mail addresses

CVE-2024-45231:

3.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-45231: Django allows enumeration of user e-mail addresses

Basic Information

Basic Information

3.7

3.7

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI