Lucene search

GitHub Advisory DatabaseGHSA-5P9J-W2WX-QX4C

HistoryMar 07, 2022 - 12:00 a.m.

Open Redirect in django-spirit

2022-03-0700:00:40

CWE-601

GitHub Advisory Database

github.com

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

45.4%

JSON

django-spirit prior to version 0.12.3 is vulnerable to open redirect. In the /user/login endpoint, it doesn’t check the value of the next parameter when the user is logged in and passes it directly to redirect which result to open redirect. This also affects /user/logout, /user/register, /user/login, /user/resend-activation.

Affected configurations

Vulners

Node

djangospiritRange<0.12.3

CPENameOperatorVersion
django-spiritlt0.12.3

CPE	Name	Operator	Version
	django-spirit	lt	0.12.3

References

github.com/advisories/GHSA-5p9j-w2wx-qx4c

github.com/nitely/spirit/commit/8f32f89654d6c30d56e0dd167059d32146fb32ef

huntr.dev/bounties/ed335a88-f68c-4e4d-ac85-f29a51b03342

nvd.nist.gov/vuln/detail/CVE-2022-0869

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

45.4%

JSON

Related for GHSA-5P9J-W2WX-QX4C