Vulnerability Details CVE-2021-46898
views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith("/") but this does not consider a protocol-relative URL (e.g., //example.com) attack.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 33.3%
CVSS Severity
CVSS v3 Score 6.1
References
- https://github.com/sehmaschine/django-grappelli/commit/4ca94bcda0fa2720594506853d85e00c8212968f
- https://github.com/sehmaschine/django-grappelli/compare/2.15.1...2.15.2
- https://github.com/sehmaschine/django-grappelli/issues/975
- https://github.com/sehmaschine/django-grappelli/pull/976
- https://github.com/sehmaschine/django-grappelli/commit/4ca94bcda0fa2720594506853d85e00c8212968f
- https://github.com/sehmaschine/django-grappelli/compare/2.15.1...2.15.2
- https://github.com/sehmaschine/django-grappelli/issues/975
- https://github.com/sehmaschine/django-grappelli/pull/976
Products affected by CVE-2021-46898
-
cpe:2.3:a:vonautomatisch:django_grappelli:*