Enviar #857933: wger-project wger 2.6.0-alpha2 / master branch at commit ea7844731f7e3fe5865c327c1f93f5f4a76dde75 CWE-352 Cross-Site Request Forgery / CWE-749 Exposed Dangerous Minformación

Títulowger-project wger 2.6.0-alpha2 / master branch at commit ea7844731f7e3fe5865c327c1f93f5f4a76dde75 CWE-352 Cross-Site Request Forgery / CWE-749 Exposed Dangerous M
Descripciónwger's gym user password reset view performs a security-sensitive account action on any HTTP method, including GET. The route `user/<int:user_pk>/reset-user-password` calls `reset_user_password()`, which checks that the requester is authenticated and has gym-management permissions, then generates a new password, calls `user.set_password(password)`, saves the target user, and renders the generated password. Because the view does not require POST and Django CSRF protection does not apply to GET requests, an attacker can cause an authenticated gym manager's browser to request a crafted reset URL for a user in scope. The target user's old password is invalidated without deliberate confirmation, causing account lockout and exposing the generated replacement password in the manager's browser response. Remediation should require POST with CSRF validation and an explicit confirmation step.
Fuente⚠️ https://github.com/wger-project/wger/issues/2380
Usuario
 GalaxynC (UID 98975)
Sumisión2026-06-13 13:10 (hace 1 mes)
Moderación2026-07-18 10:37 (1 month later)
EstadoDuplicado
Entrada de VulDB236497 [wger Workout Manager 2.2.0a3 User-Management Page gym/views/gym.py falsificación de solicitudes en sitios cruzados]
Puntos0

Interested in the pricing of exploits?

See the underground prices here!