6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-46898

GHSA ID

GHSA-9x43-5qcq-h79q

EPSS Score

0.33458%

CWE

CWE-601

Published

10/22/2023

Updated

9/13/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-46898

CVE-2021-46898: Django Grappelli Open Redirect vulnerability

views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith("/") but this does not consider a protocol-relative URL (e.g., //example.com) attack.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-46898

GHSA ID

GHSA-9x43-5qcq-h79q

EPSS Score

0.33458%

CWE

CWE-601

Published

10/22/2023

Updated

9/13/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
django-grappelli	pip	>= 0, < 2.15.2	2.15.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the redirect URL validation logic in the switch_user view function. The original check (redirect_url.startswith('/')) was replaced with Django's secure url_has_allowed_host_and_scheme() in the patch. The function directly processes user-controlled redirect parameters and contained the flawed validation logic, making it the clear entry point for the open redirect vulnerability. The commit diff and CVE description explicitly reference this function as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

vi*ws/swit**.py in *j*n*o-*r*pp*lli (*k* *j*n*o *r*pp*lli) ***or* *.**.* *tt*mpts to pr*v*nt *xt*rn*l r**ir**tion wit* st*rtswit*("/") *ut t*is *o*s not *onsi**r * proto*ol-r*l*tiv* URL (*.*., //*x*mpl*.*om) *tt**k.

Reasoning

T** vuln*r**ility st*ms *rom t** r**ir**t URL v*li**tion lo*i* in t** swit**_us*r vi*w *un*tion. T** ori*in*l ****k (r**ir**t_url.st*rtswit*('/')) w*s r*pl**** wit* *j*n*o's s**ur* url_**s_*llow**_*ost_*n*_s***m*() in t** p*t**. T** *un*tion *ir**tly

6.1

Basic Information

Concerned about an active attack path?

CVE-2021-46898: Django Grappelli Open Redirect vulnerability

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI