High severity7.5NVD Advisory· Published Feb 5, 2018· Updated Jun 17, 2026
CVE-2018-6188
CVE-2018-6188
Description
django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from the confirm_login_allowed() method, as demonstrated by discovering whether a user account is inactive.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 2.0a1, < 2.0.2 | 2.0.2 |
DjangoPyPI | >= 1.11.8, < 1.11.10 | 1.11.10 |
Affected products
6- ghsa-coords6 versionspkg:pypi/djangopkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django6&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2012%20SP1
>= 2.0a1, < 2.0.2+ 5 more
- (no CPE)range: >= 2.0a1, < 2.0.2
- (no CPE)range: < 4.2.14-1.1
- (no CPE)range: < 6.0-1.1
- (no CPE)range: < 3.2.7-2.3
- (no CPE)range: < 1.11.10-5.1
- (no CPE)range: < 1.11.15-2.1
Patches
Vulnerability mechanics
References
11- www.djangoproject.com/weblog/2018/feb/01/security-releases/nvdPatchVendor Advisory
- www.securitytracker.com/id/1040422nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-rf4j-j272-fj86ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-6188ghsaADVISORY
- usn.ubuntu.com/3559-1/nvdThird Party Advisory
- github.com/django/django/commit/57b95fedad5e0b83fc9c81466b7d1751c6427aaeghsaWEB
- github.com/django/django/commit/c37bb28677295f6edda61d8ac461014ef0d3aeb2ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-4.yamlghsaWEB
- usn.ubuntu.com/3559-1ghsaWEB
- web.archive.org/web/20200517143909/http://www.securitytracker.com/id/1040422ghsaWEB
- www.djangoproject.com/weblog/2018/feb/01/security-releasesghsaWEB
News mentions
0No linked articles in our index yet.