Lucene search

GitHub Advisory DatabaseGHSA-9X43-5QCQ-H79Q

HistoryOct 22, 2023 - 9:36 p.m.

Django Grappelli Open Redirect vulnerability

2023-10-2221:36:10

CWE-601

GitHub Advisory Database

github.com

django grappelli

open redirect

switch.py

external redirection

protocol-relative url

vulnerability

security issue

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

20.6%

JSON

views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith(“/”) but this does not consider a protocol-relative URL (e.g., //example.com) attack.

Affected configurations

Vulners

Node

djangograppelliRange0≥

djangograppelliRange<2.15.2

CPENameOperatorVersion
django-grappellige0
django-grappellilt2.15.2

CPE	Name	Operator	Version
	django-grappelli	ge	0
	django-grappelli	lt	2.15.2

References

github.com/advisories/GHSA-9x43-5qcq-h79q

github.com/pypa/advisory-database/tree/main/vulns/django-grappelli/PYSEC-2023-211.yaml

github.com/sehmaschine/django-grappelli/commit/4ca94bcda0fa2720594506853d85e00c8212968f

github.com/sehmaschine/django-grappelli/compare/2.15.1...2.15.2

github.com/sehmaschine/django-grappelli/issues/975

github.com/sehmaschine/django-grappelli/pull/976

nvd.nist.gov/vuln/detail/CVE-2021-46898

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

20.6%

JSON

Related for GHSA-9X43-5QCQ-H79Q