Jack Cushman

**Name of the Vulnerable Software and Affected Versions** Django versions 1.11.8 through 1.11.9 Django versions 2.0 through 2.0.1 **Description** The issue is related to the `confirm login allowed()` method in `django.contrib.auth.forms.AuthenticationForm`, which allows remote attackers to obtain potentially sensitive information due to data exposure. This can be exploited to discover whether a user account is inactive. **Recommendations** For Django versions 1.11.8 through 1.11.9, update to a version that contains a fix for this issue. For Django versions 2.0 through 2.0.1, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the `confirm login allowed()` method until a patch is available.