CVE-2021-46898

2023-10-2219:15:08

Google

osv.dev

cve-2021-46898

django grappelli

external redirection

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

20.6%

JSON

views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith(“/”) but this does not consider a protocol-relative URL (e.g., //example.com) attack.

CPENameOperatorVersion
django-grappellieq2.3.7
django-grappellieq2.4.2
django-grappellieq2.12.1
django-grappellieq2.11.2
django-grappellieq2.15.1
django-grappellieq2.14.4
django-grappellieq2.4.7
django-grappellieq2.10.2
django-grappellieq2.3.6
django-grappellieq2.6.4

Name	Operator	Version
django-grappelli	eq	2.3.7
django-grappelli	eq	2.4.2
django-grappelli	eq	2.12.1
django-grappelli	eq	2.11.2
django-grappelli	eq	2.15.1
django-grappelli	eq	2.14.4
django-grappelli	eq	2.4.7
django-grappelli	eq	2.10.2
django-grappelli	eq	2.3.6
django-grappelli	eq	2.6.4