Threat actors are actively exploiting two of the vulnerabilities, while three others are publicly known and ripe for attack.

Source: fadfebrian via Shutterstock

Microsoft's October security update addressed a substantial 117 vulnerabilities, including two actively exploited flaws and three publicly disclosed but as yet unexploited bugs.

The update is the third largest so far this year in terms of disclosed CVEs, after April's 147 CVEs and July's set of 139 flaws.

A plurality of the bugs (46) enables remote code execution (RCE), and 28 others give threat actors a way to elevate privileges. The remaining vulnerabilities include those that enable spoofing, denial of service, and other malicious outcomes. As always, the CVEs affected a wide range of Microsoft technologies, including the Windows operating system, Microsoft's Hyper-V virtualization technology, Windows Kerberos, Azure, Power BI, and .NET components.

**Actively Exploited Bugs**

The two vulnerabilities in the October update that attackers are actively exploiting are also the ones that merit immediate attention.

One of them is CVE-2024-43573, a spoofing vulnerability in MSHTML, or the Trident legacy browsing engine for Internet Explorer that Microsoft includes in modern versions to maintain backward compatibility. The bug is similar to CVE-2024-38112 and CVE-2024-43461 that Microsoft disclosed in MSHTML in July and September, respectively, which the Void Banshee group has been actively exploiting. Another unusual aspect of the bug: Microsoft has not credited anyone for reporting or discovering it.

Organizations should not allow Microsoft's moderate severity assessment for CVE-2024-43573 to lull them into thinking the bug does not merit immediate attention, researchers at Trend Micro's Zero Day Initiative wrote in a blog post. "There's no word from Microsoft on whether it's \[Void Banshee\], but considering there is no acknowledgment here, it makes me think the original patch was insufficient," the ZDI post noted. "Either way, don't ignore this based on the severity rating. Test and deploy this update quickly."

The other zero-day that attackers are currently exploiting is CVE-2024-43572, an RCE flaw in Microsoft Management Console (MMC). Microsoft said its patch prevents "untrusted Microsoft Saved Console (MSC) files from being opened to protect customers against the risks associated with this vulnerability."

Earlier this year, researchers at Elastic Security reported observing threat actors using specially crafted MMC files, dubbed GrimResource for initial access and defense evasion purposes. However, it is not immediately clear if the attackers were exploiting CVE-2024-43572 in that campaign or some other bug. Microsoft didn't address the point in this most recent patch update.

**Publicly Known but Unexploited — for the Moment**

The three other zero-day bugs that Microsoft disclosed as part of its October security update — but which attackers have not exploited yet — are CVE-2024-6197, a remote code execution vulnerability in the open source cURLl command line tool; CVE-2024-20659, a moderate severity security bypass vulnerability in Windows Hyper-V; and CVE-2024-43583, a WinLogon elevation of privilege vulnerability.

Mike Walters, president and co-founder of Action 1, said organizations should prioritize patching CVE-2024-6197. Though Microsoft has assessed the vulnerability as something that attackers are less likely to exploit, Walters expects to see proof-of-concept code for the flaw become available soon. "This vulnerability is particularly concerning, because it impacts the fundamental architecture of memory management in cURL, a tool integral to data transfers across various network protocols," Walters wrote in a blog post. "The affected systems include those using cURL or libcurl, the underlying library that powers numerous applications on diverse platforms."

Meanwhile, organizations using third-party input method editors (IMEs) that allow users to type in different languages are at particular risk from CVE-2024-43583, which is the WinLogon elevation of privilege flaw, Walters added. "This vulnerability is particularly pertinent in diverse settings where multilingual support is crucial, such as in global enterprises or educational institutions," he said. Attackers could exploit the vulnerability as part of a broader attack chain to compromise affected environments he said.

**Other Critical Bugs that Need Attention Now**

Microsoft assessed just three of the 117 vulnerabilities it disclosed this week as being critical. All three are RCEs. They are CVE-2024-43468 in Microsoft Configuration Manager, CVE-2024-43582 in the Remote Desktop Protocol (RDP) server, and CVE-2024-43488 in Visual Studio Code extension for Arduino Remote.

CVE-2024-43468 highlights some memory safety concerns with Microsoft Configuration Manager, Cody Dietz, a researcher with Automox, wrote in a blog post. "Successful exploitation of this vulnerability can allow for lateral movement throughout a network and offers the potential to deploy malicious configurations to other systems." In addition to immediately patching the vulnerability, organizations should consider using an alternate service account to mitigate risk, Dietz said.

Automox also highlighted CVE-2024-43533, a high-severity bug in RDP. The bug is present in the RDP client and enables attackers to execute arbitrary code on a client machine. "Unlike typical RDP vulnerabilities targeting servers, this one flips the script, offering a unique attack vector against clients," Tom Bowyer, director of IT security at Automox, wrote in the company's blog post.

"This vulnerability opens the door for back-hacks," Boyer added, "where attackers set up rogue RDP servers to exploit scanning activities from entities like nation-states or security companies."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

5 Zero-Days in Microsoft's October Update to Patch Immediately

An arbitrary file read vulnerability in Adguard Home before v0.107.52 allows authenticated attackers to access arbitrary files as root on the underlying Operating System via placing a crafted file into a readable directory.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-9cp9-8gw2-8v7m: Adguard Home arbitrary file read vulnerability

Money transfer giant MoneyGram has notified customers about a data breach that has spilt sensitive customer information.

Money transfer company MoneyGram has notified its customers of a data breach in which it says certain customers had their personal information taken between September 20 and 22, 2024.

The investigation into the incident that was discovered on September 27 is still ongoing, and the number of impacted customers remains unclear.

Initial investigations show the type of information stolen varies between different individuals, but may include:

*   Names
*   Contact information (phone number, email, physical address)
*   Date of birth
*   Social Security Numbers
*   Government-issued identification documents (e.g. driver’s licenses)
*   Other identification documents (e.g. utility bills)
*   Bank account numbers
*   MoneyGram Plus Rewards numbers
*   Transaction information (such as dates and amounts of transactions)
*   Criminal investigation information (such as fraud)

MoneyGram says that only a limited number of customers’ Social Security numbers and criminal investigation information was taken.

At the time, MoneyGram announced on X that it had taken certain systems offline temporarily to avoid any further compromise. That left a large number of worried customers trying to send money abroad to their relatives.

The outage also affected MoneyGram partners, including the Bank of Jamaica and the UK’s Post Office. The UK’s Information Commissioner’s Office (ICO) confirmed to TechCrunch that the watchdog had received a report from MoneyGram.

> “We have received a report from MoneyGram and will be making enquiries.”

MoneyGram recommends that its customers remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring free credit reports.

If you are in the US and would like to check your credit report, you are entitled under US law to one free credit report annually from each of the three nationwide consumer reporting agencies. MoneyGram has arranged to offer affected US consumers identity protection and credit monitoring services for two years at no cost. Its US Reference Guide provides information on activation of the services.

MoneyGram says there is no evidence that a ransomware group is behind the incident. As always, we will keep you posted about where the information shows up and what the consequences for impacted customers might be.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

 MoneyGram confirms customer data breach 

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.

Tuesday, October 8, 2024 15:04

The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings.  

October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities.   

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.  

CVE-2024-43572 is a remote code execution vulnerability in the Microsoft Management Console that could allow an attacker to execute arbitrary code on the targeted machine. Microsoft’s security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect users against adversaries trying to exploit this vulnerability.  

The security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect customers against the risks associated with this vulnerability. 

The other vulnerability that was exploited in the wild in this week’s security update is CVE-2024-43573, a platform spoofing vulnerability in Windows MSHTML. Platform spoofing vulnerabilities usually allow an adversary to gain unauthorized access to an environment by disguising themselves as a trusted source.  

CVE-2024-43583, an elevation of privilege vulnerability in Winlogon, has also been publicly disclosed, according to Microsoft, but has not yet been exploited in the wild. This vulnerability could allow an attacker to obtain SYSTEM-level privilege. In addition to applying the patch, Microsoft also recommends users enable a Microsoft first-party Input Method Editor (IME) on their devices to prevent adversaries from being able to exploit third-party IMEs during the sign-in process. 

October’s Patch Tuesday also includes three critical vulnerabilities that could all lead to remote code execution. 

CVE-2024-43468 is the most serious of this bunch, with a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability in Microsoft Configuration Manager to execute commands on the targeted server or underlying database. 

Another remote code execution vulnerability, CVE-2024-43488, exists in the Visual Studio Code extension for Arduino, an open-source platform for building and managing single-board microcontrollers and microcontroller kits. A missing authentication protocol could allow an adversary to execute remote code over the network.  

Microsoft stated that the company has already mitigated this vulnerability and users do not need to take any additional steps. This extension has also been deprecated and can no longer be downloaded from the internet. 

Lastly, CVE-2024-43582 exists in the Windows Remote Desktop Protocol server and could allow an attacker to execute code on the server side with the same permissions as the RPC service. An adversary could exploit this vulnerability by sending malformed packets to an RPC host. However, exploitation also requires that the adversary win a race condition first.  

Cisco Talos would also like to highlight several vulnerabilities that are only rated as “important,” but Microsoft lists as “more likely” to be exploited: 

*   CVE-2024-43502: Elevation of privilege vulnerability in Windows Kernel 
*   CVE-2024-43509 and CVE-2024-43556: Elevation of privilege vulnerabilities in Windows Graphics Component     
*   CVE-2024-43560: Elevation of privilege vulnerability in Windows Storage Port 
*   CVE-2024-43581 and CVE-2024-43615: Remote code execution vulnerability in Microsoft OpenSSH for Windows  
*   CVE-2024-43609: Spoofing vulnerability in Microsoft Office 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64083 - 64086, 64089, 64090, 64111 and 64112. There are also Snort 3 rules 301034 - 301036 and 301041.

Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities

As healthcare organizations struggle against operational issues, two-thirds of the industry suffered ransomware attacks in the past year, and an increasing number are caving to extortion and paying up.

Source: Yuri A/PeopleImages via ShutterStock

The healthcare sector continues to grow, but without the proper focus on cybersecurity, the prognosis for the industry's resilience against ransomware and other attacks has only worsened.

Against a backdrop of non-IT disruptions — such as private equity failures, shortages of medicines, and the cutting of services — two-thirds (66%) of healthcare organizations also suffered ransomware attacks in the past year, up from 60% in the prior year, according to a report from cybersecurity firm Sophos. Major attacks on hospitals and medical-service providers have led to disruptions of services, significant financial outlay, and the exposure of sensitive patient data. In some cases, they also affected patient outcomes.

There are also new threats emerging all the time. The Trinity ransomware, for instance, first seen last May, poses a "significant threat" to the healthcare and public health sector, according to an alert this week from the US Department of Health and Human Services.  

Overall, more than 14 million US citizens — and an unknown number worldwide — have been affected by healthcare breaches in 2024, according to another data set from security firm SonicWall.

Healthcare suffers such a cyber malaise that Senate Finance Committee chair Ron Wyden (D-Ore.), and Sen. Mark Warner (D-Va.) last week announced legislation to attempt to patch up the system. The bill would require jail time for healthcare CEOs that lie to the government about their cybersecurity postures, offer federal resources to rural and underserved hospitals for cyber improvements, and introduce accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data. The bill would also remove the existing cap on fines for data mishandling under the Health Insurance Portability and Accountability Act (HIPAA).

"Mega-corporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result," Wyden said in a statement announcing the bill. "The healthcare industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy."

**Healthcare Cyber-Profiles Are Ripe for Infection**

Healthcare organizations have three attributes that ensure ransomware gangs will continue to focus on the industry: Their operations are critical to society, their technology is often old and rife with vulnerabilities, and individual organizations are willing to pay ransoms, says Doug McKee, executive director of threat research of SonicWall.

"There's a lot of money in healthcare, \[and\] healthcare is not only notorious for having a lot of money, but they've been painted as an industry that's willing to pay the ransom," he says. "If we're going to keep paying the ransom, the attackers are going to keep ramping up in that industry. The math is that simple."

The cybersecurity problems plaguing the industry are not just affecting the business of healthcare. They're also having real impacts on patients and national health efforts. Attackers used stolen credentials, for example, to compromise UnitedHealth subsidiary Change Healthcare and infect its systems with ransomware in February, leading to stalled payments for doctors, pharmacies, and hospitals — and eventually a $22 million ransom paid to the criminals. In the United Kingdom, an attack on medical-services provider Synnovis in June led to delays in matching patient blood types and other pathology services. The same month, an attack on South Africa's National Health Laboratory Service (NHLS) disrupted the service provided by the government-run testing laboratories, while the nation found itself in the midst of an mpox outbreak.

"I can either pay the ransom, get back up and running, or I can try to rebuild it myself and pray that we get everything back set up running in a week — not an option," says Errol Weiss, chief information security officer (CISO) of the Healthcare Information Sharing and Analysis Center (Health-ISAC). "So now, we've got a sector who is more prevalent to pay, and I think the bad guys — cybercriminals, nation-states that are doing this — figured that out pretty quickly. I think it's getting worse, and I think that they've also figured out the weak spots in the sector."

**A Pound of Cure Typically Fails**

The weakest spot for healthcare entities is arguably the inter-reliance of hospitals and pharmacies on their third-party providers. When Change Healthcare suffered its weekslong outage, the incident demonstrated that efforts to shore up cyber resilience has to extend all the way to any third-party suppliers on which healthcare providers rely.

"Change Healthcare definitely rocked the sector and made us \[realize\] that it's a single point of failure for so many services," Weiss says. "We had thousands of patients across the US that couldn't get prescriptions filled because of that outage, and then ... we had hospitals that couldn't file claims."

Similarly, the attacks on Synnovis and NHLS slowed diagnostic services.

While their operational requirements — prioritizing human life, which means keeping open the access to needed data — pose challenging issues, healthcare organizations must gain oversight over their (often legacy) technology and the large variety of medical devices and equipment, which might not be kept totally up to date. Seven out of every eight breaches were caused by exploitable vulnerabilities, compromised credentials, and malicious emails — so focusing on those three areas could pay significant dividends for cybercriminals, says Christopher Budd, director of threat research for Sophos X-Ops.

"Healthcare — along with energy, oil/gas, and utilities — is challenged by higher levels of legacy technology, and infrastructure controls more than most other sectors, which likely makes it harder to secure devices, limit lateral movement, and prevent attacks from spreading," he says.

**Time for an Ounce of Prevention**

Yet, perhaps most telling is the industry's problems with backups.

In 95% of attacks targeting healthcare organizations, the attacker tried to compromise the backups. Unfortunately, they succeeded in 66%, putting healthcare organizations' defensive shortcomings behind that of only the energy, oil/gas, and utilities sector (79%) and the education sector (71%), according to Sophos' report.

While healthcare organizations continue to use backups to recover, many also pay ransoms. Source: Sophos

The loss of backups results in much worse — and more expensive — outcomes, the report stated. The value of the initial ransom demand more than tripled, to $4.4 million, compared with $1.3 million for organizations with backups, and the organizations were far more likely to pay the ransom, with 63% of organizations with a failed backup paying the ransom, compared with 27% of organizations with complete backups.

In its threat brief, SonicWall recommended the typical trio of cybersecurity best practices: patch management, strong access controls, and continuous monitoring. However, out of those three, monitoring is the most important capability for organizations to establish first, says SonicWall's McKee. Companies with good visibility can detect cybersecurity issues early and remediate them before they are attacked, he says.

While the outlook is currently messy, progress is being made, he added.

"I think that we've gotten better," McKee says. "Over the last five years, I've seen a huge improvement in healthcare, as far as being able to turn around cybersecurity best practices ... but \[technology\] has to get through all the regulatory requirements ... and that's simply going to take time ... probably years, for healthcare to get to a point that we're able to reduce some of the effectiveness of these attacks."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Healthcare's Grim Cyber Prognosis Requires Security Booster

A vulnerability was found in the resteasy-netty4 library arising from improper handling of HTTP requests using smuggling techniques. When an HTTP smuggling request with an ASCII control character is sent, it causes the Netty HttpObjectDecoder to transition into a BAD_MESSAGE state. As a result, any subsequent legitimate requests on the same connection are ignored, leading to client timeouts, which may impact systems using load balancers and expose them to risk.

GHSA-5wpr-cj9p-959r: HTTP Request Smuggling Leading to Client Timeouts in resteasy-netty4

A vulnerability was found in Quarkus CXF. Passwords and other secrets may appear in the  application log in spite of the user configuring them to be hidden. This issue requires some special configuration to be vulnerable, such as SOAP logging enabled, application set client, and endpoint logging properties, and the attacker must have access to the application log.

GHSA-jqh2-ch7p-xwxh: Quarkus CXF logs passwords and other secrets

An issue in the getcolor function in utils.py of xhtml2pdf v0.2.13 allows attackers to cause a Regular expression Denial of Service (ReDOS) via supplying a crafted string.

GHSA-jj5c-hhrg-vv5h: xhtml2pdf Denial of Service via crafted string

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).

GHSA-rrqc-c2jx-6jgv: Django allows enumeration of user e-mail addresses

An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters.

Tag

#auth