{"id":"PYSEC-2020-45","details":"An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the \"next\" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL.","aliases":["CVE-2020-29565","GHSA-f8fh-xp28-q59m"],"modified":"2024-04-29T11:41:28.485018Z","published":"2020-12-04T08:15:00Z","references":[{"type":"WEB","url":"https://bugs.launchpad.net/horizon/+bug/1865026"},{"type":"WEB","url":"https://review.opendev.org/c/openstack/horizon/+/758841/"},{"type":"WEB","url":"https://review.opendev.org/c/openstack/horizon/+/758843/"},{"type":"WEB","url":"https://security.openstack.org/ossa/OSSA-2020-008.html"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2020/12/08/2"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4820"}],"affected":[{"package":{"name":"horizon","ecosystem":"PyPI","purl":"pkg:pypi/horizon"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15.3.0"},{"fixed":"15.3.2"},{"introduced":"16.0.0"},{"fixed":"16.2.1"},{"introduced":"17.0.0"},{"fixed":"18.3.3"},{"introduced":"18.4.0"},{"fixed":"18.6.0"}]}],"versions":["15.3.0","15.3.1","16.0.0","16.1.0","16.2.0","17.0.0","17.1.0","18.0.0","18.1.0","18.2.0","18.3.0","18.3.1","18.3.2","18.4.0","18.4.1","18.5.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/horizon/PYSEC-2020-45.yaml"}}],"schema_version":"1.7.3"}