PT-2018-3993 · Django Software Foundation+1 · Django+1

Jack Cushman

Published

2018-02-05

Updated

2026-01-03

CVE-2018-6188

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Django versions 1.11.8 through 1.11.9 Django versions 2.0 through 2.0.1

Description The issue is related to the confirm login allowed() method in django.contrib.auth.forms.AuthenticationForm, which allows remote attackers to obtain potentially sensitive information due to data exposure. This can be exploited to discover whether a user account is inactive.

Recommendations For Django versions 1.11.8 through 1.11.9, update to a version that contains a fix for this issue. For Django versions 2.0 through 2.0.1, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the confirm login allowed() method until a patch is available.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

BDU:2024-09053

CVE-2018-6188

GHSA-RF4J-J272-FJ86

OPENSUSE-SU-2018:0632-1

OPENSUSE-SU-2023:0077-1

OPENSUSE-SU-2024:11205-1

OPENSUSE-SU-2024:13887-1

OPENSUSE-SU-2024:14208-1

OPENSUSE-SU-2026:10005-1

PYSEC-2018-4

RHSA-2018:2927

Affected Products

Django

Ubuntu

PT-2018-3993 · Django Software Foundation+1 · Django+1

CVE-2018-6188

Weakness Enumeration

Related Identifiers

Affected Products

References · 103