Impact
The password reset function at the login page responds to valid and invalid emails in the application. Submitting an invalid email result in "The e-mail address is not assigned to any user account." A valid response results in a message stating an email has been sent.
Patches
- This vulnerability can be traced to a third-party library (
django-allauth)
- A patch has been applied to update the
django-allauth library to a newer version
- See PR #3217
- Fix will be made available in the upcoming 0.8.0 stable release
Workarounds
None
References
For more information
If you have any questions or comments about this advisory:
dievus Analyst
Impact
The password reset function at the login page responds to valid and invalid emails in the application. Submitting an invalid email result in "The e-mail address is not assigned to any user account." A valid response results in a message stating an email has been sent.
Patches
django-allauth)django-allauthlibrary to a newer versionWorkarounds
None
References
For more information
If you have any questions or comments about this advisory: