GHSA-9x43-5qcq-h79q

Source

https://github.com/advisories/GHSA-9x43-5qcq-h79q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-9x43-5qcq-h79q/GHSA-9x43-5qcq-h79q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9x43-5qcq-h79q

Aliases

Published

2023-10-22T21:36:10Z

Modified

2024-09-13T20:24:36.552132Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Django Grappelli Open Redirect vulnerability

Details

views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith("/") but this does not consider a protocol-relative URL (e.g., //example.com) attack.

Database specific

{
    "nvd_published_at": "2023-10-22T19:15:08Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-601"
    ],
    "github_reviewed_at": "2023-10-24T01:46:26Z"
}

References

Affected packages

PyPI / django-grappelli

Package

Name: django-grappelli; View open source insights on deps.dev
Purl: pkg:pypi/django-grappelli

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.15.2

Affected versions

1.*

1.3

2.*

2.1

2.1.1

2.2

2.3

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.4.10

2.4.11

2.4.12

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.7.1

2.7.2

2.7.3

2.8.1

2.8.2

2.8.3

2.9.1

2.10.1

2.10.2

2.10.3

2.10.4

2.11.1

2.11.2

2.12.1

2.12.2

2.12.3

2.12.4

2.13.1

2.13.2

2.13.3

2.13.4

2.14.1

2.14.2

2.14.3

2.14.4

2.15.1