Django is vulnerable to information leakage. Django will run the confirm_login_allowed()
method even if the password is incorrect. From this method, attackers can gleam some information depending on the errors that arise. For example, if the standard confirm_login_allowed()
is used, an attacker can enter any username and see if the value of is_active
.