CVE-2023-38759

HIGH8.8EPSS 0.42%

wger Workout Manager Cross-Site Request Forgery vulnerability

Published: 8/8/2023Modified: 11/19/2024

Description

Cross Site Request Forgery (CSRF) vulnerability in wger Project wger Workout Manager 2.2.0a3 allows a remote attacker to gain privileges via the `user-management` feature in the `gym/views/gym.py`, `templates/gym/reset_user_password.html`, `templates/user/overview.html`, `core/views/user.py`, and `templates/user/preferences.html`, `core/forms.py` components.

Affected packages (2)

PyPI/wgerfrom 0, <= 2.2.0a3
PyPI/wgerfrom 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-38759
PATCHhttps://github.com/wger-project/wger
WEBhttps://github.com/0x72303074/CVE-Disclosures
WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/wger/PYSEC-2023-144.yaml
WEBhttps://wger.de