Description
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password.
Remediation
References
Related Vulnerabilities
SharePoint Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2019-1261)
Apache HTTP Server Out-of-bounds Write Vulnerability (CVE-2021-26691)
Liferay Portal Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2025-43810)
WordPress Plugin Publish to Schedule Cross-Site Request Forgery (4.4.2)
Atlassian Jira Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2019-11586)