This would redirect a user to their email if they had requested a confirmation link. This was fixed in 2.3.5. Upgrading to 2.3.5 is the recommended fix. If you are unable to upgrade, you can disable the open redirect in the `/confirm` endpoint. Open the `confirm.py` file and change the `REMOVE_REDIRECTS = False` line to `REMOVE_REDIRECTS = True`. The file can also be set to `None` instead of `True`.
Disable Cross Site Request Forgery (CSRF) Protection
This would allow an attacker to bypass the confirmation link and send a request directly to your email. This was fixed in 2.3.5. Upgrading to 2.3.5 is the recommended fix. If you are unable to upgrade, you can disable the open redirect in the `/confirm` endpoint. Open the `confirm.py` file and change the `REMOVE_REDIRECTS = False` line to `REMOVE_REDIRECTS = True`. The file can also be set to `None` instead of `True`.
How to fix Open Redirect to Confirm Page
It is very important that you upgrade to 2.3.5 to fix this vulnerability if you can. To disable the open redirect, go to your `confirm.py` and change the line ``REMOVE_REDIRECTS = False`` to ``REMOVE_REDIRECTS = True``
Timeline
Published on: 09/21/2022 08:15:00 UTC
Last modified on: 09/22/2022 15:42:00 UTC