CVE-2022-0869

Name of the Vulnerable Software and Affected Versions spirit versions prior to 0.12.3 django-spirit versions prior to 0.12.3

Description The issue is related to multiple open redirects in the GitHub repository. Specifically, the /user/login endpoint does not check the value of the next parameter when the user is logged in, passing it directly to redirect, resulting in an open redirect. This also affects the /user/logout, /user/register, and /user/resend-activation endpoints.

Recommendations For spirit versions prior to 0.12.3, update to version 0.12.3 or later. For django-spirit versions prior to 0.12.3, update to version 0.12.3 or later. As a temporary workaround, consider restricting access to the vulnerable endpoints, such as /user/login, /user/logout, /user/register, and /user/resend-activation, until a patch is available. Avoid using the next parameter in the affected API endpoints until the issue is resolved.