Vulnerability Description
views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith("/") but this does not consider a protocol-relative URL (e.g., //example.com) attack.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vonautomatisch | Django Grappelli | < 2.15.2 |
Related Weaknesses (CWE)
References
- https://github.com/sehmaschine/django-grappelli/commit/4ca94bcda0fa2720594506853Patch
- https://github.com/sehmaschine/django-grappelli/compare/2.15.1...2.15.2Release Notes
- https://github.com/sehmaschine/django-grappelli/issues/975ExploitIssue Tracking
- https://github.com/sehmaschine/django-grappelli/pull/976Patch
- https://github.com/sehmaschine/django-grappelli/commit/4ca94bcda0fa2720594506853Patch
- https://github.com/sehmaschine/django-grappelli/compare/2.15.1...2.15.2Release Notes
- https://github.com/sehmaschine/django-grappelli/issues/975ExploitIssue Tracking
- https://github.com/sehmaschine/django-grappelli/pull/976Patch
FAQ
What is CVE-2021-46898?
CVE-2021-46898 is a vulnerability with a CVSS score of 6.1 (MEDIUM). views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith("/") but this does not consider a protocol-relative URL (e.g., //examp...
How severe is CVE-2021-46898?
CVE-2021-46898 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-46898?
Check the references section above for vendor advisories and patch information. Affected products include: Vonautomatisch Django Grappelli.