CVE-2024-53995 – sickchill

Package

Manager: pip
Name: sickchill
Vulnerable Version: >=0 <=2024.3.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:P

EPSS: 0.00038 pctl0.10238

Details

GHSL-2024-288: SickChill open redirect in login SickChill is an automatic video library manager for TV shows. A user-controlled `login` endpoint's `next_` parameter takes arbitrary content. Prior to commit c7128a8946c3701df95c285810eb75b2de18bf82, an authenticated attacker may use this to redirect the user to arbitrary destinations, leading to open redirect. Commit c7128a8946c3701df95c285810eb75b2de18bf82 changes the login page to redirect to `settings.DEFAULT_PAGE` instead of to the `next` parameter.

Metadata

Created: 2025-01-08T22:03:58Z
Modified: 2025-01-08T22:03:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-6gf2-ffq8-gcww/GHSA-6gf2-ffq8-gcww.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-6gf2-ffq8-gcww
Finding: F156
Auto approve: 1