Headline
GHSA-9x43-5qcq-h79q: in django-grappelli
views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith(“/”) but this does not consider a protocol-relative URL (e.g., //example.com) attack.
in django-grappelli
Moderate severity GitHub Reviewed Published Oct 22, 2023 to the GitHub Advisory Database • Updated Oct 24, 2023
Related news
CVE-2021-46898: Update switch.py · sehmaschine/django-grappelli@4ca94bc
views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith("/") but this does not consider a protocol-relative URL (e.g., //example.com) attack.