Information disclosure in Django

Published: 2018-02-06
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-6188
Exploitation vector Network
Public exploit N/A
Vulnerable software
Web applications / CMS

Vendor Django Software Foundation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU10386

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6188

CWE-ID: CWE-200 - Information exposure

Exploit availability: No


The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists in the django.contrib.auth.forms.AuthenticationForm process of Django due to improper security restrictions. A remote attacker can use the confirm_login_allowed function, enter an invalid password or arbitrary user name during use of that function and access sensitive information on the targeted system.


Update to version 1.11.10 or 2.0.2.

Vulnerable software versions

Django: 1.11.8 - 2.0.3

External links

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.