django-grappelli up to 2.15.1 Relative URL views/switch.py redirect
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.7 | $0-$5k | 0.00 |
Summary
A vulnerability has been found in django-grappelli up to 2.15.1 and classified as problematic. This affects an unknown function of the file views/switch.py of the component Relative URL Handler. Performing a manipulation results in redirect. This vulnerability is identified as CVE-2021-46898. The attack can be initiated remotely. There is not any exploit available. The affected component should be upgraded.
Details
A vulnerability was found in django-grappelli up to 2.15.1 (Content Management System). It has been classified as problematic. This affects an unknown part of the file views/switch.py of the component Relative URL Handler. The manipulation with an unknown input leads to a redirect vulnerability. CWE is classifying the issue as CWE-601. A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. This is going to have an impact on integrity. The summary by CVE is:
views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith("/") but this does not consider a protocol-relative URL (e.g., //example.com) attack.
The weakness was released 10/23/2023 as 975. The advisory is shared at github.com. This vulnerability is uniquely identified as CVE-2021-46898 since 10/22/2023. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1204.001 for this issue.
Upgrading to version 2.15.2 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 4ca94bcda0fa2720594506853d85e00c8212968f is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.8VulDB Meta Temp Score: 4.7
VulDB Base Score: 3.5
VulDB Temp Score: 3.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 6.1
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: RedirectCWE: CWE-601
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: django-grappelli 2.15.2
Patch: 4ca94bcda0fa2720594506853d85e00c8212968f
Timeline
10/22/2023 🔍10/23/2023 🔍
10/23/2023 🔍
11/12/2023 🔍
Sources
Advisory: 975Status: Confirmed
CVE: CVE-2021-46898 (🔍)
GCVE (CVE): GCVE-0-2021-46898
GCVE (VulDB): GCVE-100-243141
Entry
Created: 10/23/2023 07:25Updated: 11/12/2023 16:06
Changes: 10/23/2023 07:25 (44), 11/12/2023 16:06 (11)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.