CVE-2023-38759

HIGH8.8EPSS 0.45%

wger Workout Manager Cross-Site Request Forgery vulnerability

發布日:2023/8/8修改日:2024/11/19

描述

Cross Site Request Forgery (CSRF) vulnerability in wger Project wger Workout Manager 2.2.0a3 allows a remote attacker to gain privileges via the `user-management` feature in the `gym/views/gym.py`, `templates/gym/reset_user_password.html`, `templates/user/overview.html`, `core/views/user.py`, and `templates/user/preferences.html`, `core/forms.py` components.

受影響套件(2)

PyPI/wgerfrom 0, <= 2.2.0a3
PyPI/wgerfrom 0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-38759
PATCHhttps://github.com/wger-project/wger
WEBhttps://github.com/0x72303074/CVE-Disclosures
WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/wger/PYSEC-2023-144.yaml
WEBhttps://wger.de