Lucene search

Veracode Vulnerability DatabaseVERACODE:43959

HistoryOct 24, 2023 - 6:48 a.m.

Open Redirect

2023-10-2406:48:55

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

open redirect

django_grappelli

protocol-relative url

remote attacker

confidential information

views/switch.py

software

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

7.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

20.6%

JSON

django_grappelli is vulnerable to Open Redirect. The library attempts to prevent external redirection with startswith(/) but this does not include protocol-relative URL attacks (e.g., //example.com), which allows a remote attacker to gain confidential information via views/switch.py.

CPENameOperatorVersion
django-grappellile2.15.1
django-grappellile2.15.1

CPE	Name	Operator	Version
	django-grappelli	le	2.15.1
	django-grappelli	le	2.15.1

References

github.com/advisories/GHSA-9x43-5qcq-h79q

github.com/sehmaschine/django-grappelli/commit/4ca94bcda0fa2720594506853d85e00c8212968f

github.com/sehmaschine/django-grappelli/compare/2.15.1...2.15.2

github.com/sehmaschine/django-grappelli/issues/975

github.com/sehmaschine/django-grappelli/pull/976

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

7.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

20.6%

JSON

Related for VERACODE:43959