{"id":"PYSEC-2023-211","details":"views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith(\"/\") but this does not consider a protocol-relative URL (e.g., //example.com) attack.","aliases":["CVE-2021-46898","GHSA-9x43-5qcq-h79q"],"modified":"2023-11-08T04:07:27.923575Z","published":"2023-10-22T19:15:00Z","references":[{"type":"FIX","url":"https://github.com/sehmaschine/django-grappelli/commit/4ca94bcda0fa2720594506853d85e00c8212968f"},{"type":"WEB","url":"https://github.com/sehmaschine/django-grappelli/pull/976"},{"type":"WEB","url":"https://github.com/sehmaschine/django-grappelli/compare/2.15.1...2.15.2"},{"type":"REPORT","url":"https://github.com/sehmaschine/django-grappelli/issues/975"}],"affected":[{"package":{"name":"django-grappelli","ecosystem":"PyPI","purl":"pkg:pypi/django-grappelli"},"ranges":[{"type":"GIT","repo":"https://github.com/sehmaschine/django-grappelli","events":[{"introduced":"0"},{"fixed":"4ca94bcda0fa2720594506853d85e00c8212968f"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.15.2"}]}],"versions":["1.3","2.1","2.1.1","2.10.1","2.10.2","2.10.3","2.10.4","2.11.1","2.11.2","2.12.1","2.12.2","2.12.3","2.12.4","2.13.1","2.13.2","2.13.3","2.13.4","2.14.1","2.14.2","2.14.3","2.14.4","2.15.1","2.2","2.3","2.3.1","2.3.2","2.3.3","2.3.4","2.3.5","2.3.6","2.3.7","2.3.8","2.3.9","2.4.0","2.4.1","2.4.10","2.4.11","2.4.12","2.4.2","2.4.3","2.4.4","2.4.5","2.4.6","2.4.7","2.4.8","2.4.9","2.5.0","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.5.6","2.5.7","2.6.1","2.6.2","2.6.3","2.6.4","2.6.5","2.7.1","2.7.2","2.7.3","2.8.1","2.8.2","2.8.3","2.9.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/django-grappelli/PYSEC-2023-211.yaml"}}],"schema_version":"1.7.3"}