CVE-2022-0869 – django-spirit

Package

Manager: pip
Name: django-spirit
Vulnerable Version: >=0 <0.12.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.03835 pctl0.87715

Details

Open Redirect in django-spirit django-spirit prior to version 0.12.3 is vulnerable to open redirect. In the /user/login endpoint, it doesn't check the value of the next parameter when the user is logged in and passes it directly to redirect which result to open redirect. This also affects /user/logout, /user/register, /user/login, /user/resend-activation.

Metadata

Created: 2022-03-07T00:00:40Z
Modified: 2022-03-14T21:19:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-5p9j-w2wx-qx4c/GHSA-5p9j-w2wx-qx4c.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-5p9j-w2wx-qx4c
Finding: F156
Auto approve: 1