CVE-2022-0869

MEDIUM6.1EPSS 7.6%

Open Redirect in django-spirit

Published: 3/7/2022Modified: 11/8/2023

Description

django-spirit prior to version 0.12.3 is vulnerable to open redirect. In the /user/login endpoint, it doesn't check the value of the next parameter when the user is logged in and passes it directly to redirect which result to open redirect. This also affects /user/logout, /user/register, /user/login, /user/resend-activation.

Affected packages (1)

PyPI/django-spiritfrom 0, < 0.12.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-0869
PATCHhttps://github.com/nitely/spirit
WEBhttps://github.com/nitely/spirit/commit/8f32f89654d6c30d56e0dd167059d32146fb32ef
WEBhttps://huntr.dev/bounties/ed335a88-f68c-4e4d-ac85-f29a51b03342