Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01cDlqLXcyd3gtcXg0Y80whQ
Open Redirect in django-spirit
django-spirit prior to version 0.12.3 is vulnerable to open redirect. In the /user/login endpoint, it doesn't check the value of the next parameter when the user is logged in and passes it directly to redirect which result to open redirect. This also affects /user/logout, /user/register, /user/login, /user/resend-activation.
Permalink: https://github.com/advisories/GHSA-5p9j-w2wx-qx4cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01cDlqLXcyd3gtcXg0Y80whQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-5p9j-w2wx-qx4c, CVE-2022-0869
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-0869
- https://github.com/nitely/spirit/commit/8f32f89654d6c30d56e0dd167059d32146fb32ef
- https://huntr.dev/bounties/ed335a88-f68c-4e4d-ac85-f29a51b03342
- https://github.com/advisories/GHSA-5p9j-w2wx-qx4c
Blast Radius: 9.4
Affected Packages
pypi:django-spirit
Dependent packages: 0Dependent repositories: 35
Downloads: 175 last month
Affected Version Ranges: < 0.12.3
Fixed in: 0.12.3
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.9.1, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.12.2
All unaffected versions: 0.12.3, 0.13.0