CVE-2023-38759

Name of the Vulnerable Software and Affected Versions wger Project wger Workout Manager version 2.2.0a3

Description A Cross Site Request Forgery (CSRF) issue allows a remote attacker to gain privileges via the user-management feature in the gym/views/gym.py, templates/gym/reset user password.html, templates/user/overview.html, core/views/user.py, and templates/user/preferences.html, core/forms.py components. This can be exploited through the user-management feature.

Recommendations As a temporary workaround, consider disabling the user-management feature until a patch is available. Restrict access to the vulnerable components, such as gym/views/gym.py, templates/gym/reset user password.html, templates/user/overview.html, core/views/user.py, and templates/user/preferences.html, core/forms.py, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.