GHSA-5p9j-w2wx-qx4c

Source

https://github.com/advisories/GHSA-5p9j-w2wx-qx4c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-5p9j-w2wx-qx4c/GHSA-5p9j-w2wx-qx4c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5p9j-w2wx-qx4c

Aliases

CVE-2022-0869

Published

2022-03-07T00:00:40Z

Modified

2023-11-08T04:07:41.514479Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Open Redirect in django-spirit

Details

django-spirit prior to version 0.12.3 is vulnerable to open redirect. In the /user/login endpoint, it doesn't check the value of the next parameter when the user is logged in and passes it directly to redirect which result to open redirect. This also affects /user/logout, /user/register, /user/login, /user/resend-activation.

Database specific

{
    "nvd_published_at": "2022-03-06T10:15:00Z",
    "github_reviewed_at": "2022-03-07T20:17:27Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-601"
    ]
}

References

Affected packages

PyPI / django-spirit

Package

Name: django-spirit; View open source insights on deps.dev
Purl: pkg:pypi/django-spirit

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.12.3

Affected versions

0.*

0.1

0.1.0-1

0.1.1

0.1.2

0.1.3

0.2.0

0.2.1

0.3.0

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.5.0

0.6.0

0.6.1

0.6.2

0.6.3

0.7.0

0.7.1

0.8.0

0.9.0

0.9.1

0.10.0

0.10.1

0.11.0

0.11.1

0.12.0

0.12.1

0.12.2