Medium severity6.1NVD Advisory· Published Oct 22, 2023· Updated Jun 17, 2026
CVE-2021-46898
CVE-2021-46898
Description
views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith("/") but this does not consider a protocol-relative URL (e.g., //example.com) attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
django-grappelliPyPI | < 2.15.2 | 2.15.2 |
Affected products
6- Django Grappelli/django-grappellidescription
- ghsa-coords5 versionspkg:pypi/django-grappellipkg:rpm/opensuse/python-django-grappelli&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/python-django-grappelli&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python-django-grappelli&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/python-django-grappelli&distro=SUSE%20Package%20Hub%2015%20SP5
< 2.15.2+ 4 more
- (no CPE)range: < 2.15.2
- (no CPE)range: < 2.14.4-bp154.2.3.1
- (no CPE)range: < 2.14.4-bp155.3.3.1
- (no CPE)range: < 2.14.4-bp154.2.3.1
- (no CPE)range: < 2.14.4-bp155.3.3.1
Patches
Vulnerability mechanics
References
7- github.com/sehmaschine/django-grappelli/commit/4ca94bcda0fa2720594506853d85e00c8212968fnvdPatchWEB
- github.com/sehmaschine/django-grappelli/pull/976nvdPatchWEB
- github.com/sehmaschine/django-grappelli/issues/975nvdExploitIssue TrackingWEB
- github.com/advisories/GHSA-9x43-5qcq-h79qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-46898ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/django-grappelli/PYSEC-2023-211.yamlghsaWEB
- github.com/sehmaschine/django-grappelli/compare/2.15.1...2.15.2nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.