5.3
CVE-2025-13473
- EPSS 0.04%
- Veröffentlicht 03.02.2026 14:32:26
- Zuletzt bearbeitet 04.02.2026 17:10:36
- Quelle 6a34fbeb-21d4-45e7-8e0a-62b95b
- CVE-Watchlists
- Unerledigt
Username enumeration through timing difference in mod_wsgi authentication handler
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Djangoproject ≫ Django Version >= 4.2 < 4.2.28
Djangoproject ≫ Django Version >= 5.2 < 5.2.11
Djangoproject ≫ Django Version >= 6.0 < 6.0.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.04% | 0.106 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 5.3 | 1.6 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
|
CWE-208 Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.