summaryrefslogtreecommitdiff
path: root/docs/releases/5.0.9.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/releases/5.0.9.txt')
-rw-r--r--docs/releases/5.0.9.txt11
1 files changed, 11 insertions, 0 deletions
diff --git a/docs/releases/5.0.9.txt b/docs/releases/5.0.9.txt
index 50e94ea3f2..52595ae4ff 100644
--- a/docs/releases/5.0.9.txt
+++ b/docs/releases/5.0.9.txt
@@ -13,3 +13,14 @@ CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html
:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.
+
+CVE-2024-45231: Potential user email enumeration via response status on password reset
+======================================================================================
+
+Due to unhandled email sending failures, the
+:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
+attackers to enumerate user emails by issuing password reset requests and
+observing the outcomes.
+
+To mitigate this risk, exceptions occurring during password reset email sending
+are now handled and logged using the :ref:`django-contrib-auth-logger` logger.
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 07:23:09 +0000