Thibaut Spriet

**Name of the Vulnerable Software and Affected Versions** Django versions 4.2.16, 5.0.9, and 5.1.1 **Description** An issue was discovered in the django.contrib.auth.forms.PasswordResetForm class, which allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome when e-mail sending is consistently failing. This occurs due to unhandled email sending failures. Exceptions occurring during password reset email sending are now handled and logged using the "django.contrib.auth" logger. **Recommendations** For Django versions 4.2.16, 5.0.9, and 5.1.1, update to a version where exceptions occurring during password reset email sending are handled and logged using the "django.contrib.auth" logger to mitigate the risk of user email enumeration. As a temporary workaround, consider implementing custom logging and exception handling for password reset email sending to minimize the risk of exploitation.