जमा करें #857934: wger-project wger 2.6.0-alpha2 / master branch at commit ea7844731f7e3fe5865c327c1f93f5f4a76dde75 CWE-352 Cross-Site Request Forgery / CWE-749 Exposed Dangerous Mजानकारी

शीर्षकwger-project wger 2.6.0-alpha2 / master branch at commit ea7844731f7e3fe5865c327c1f93f5f4a76dde75 CWE-352 Cross-Site Request Forgery / CWE-749 Exposed Dangerous M
विवरणwger's account deactivation view performs a security-sensitive account action through GET. `UserDeactivateView` inherits from Django's `RedirectView`, and its `get_redirect_url()` method loads the selected user, sets `is_active = False`, saves the user, and redirects. The existing authentication and gym-scope checks limit who can perform the operation, but they do not protect the request from cross-site triggering because GET requests are not CSRF-protected. An attacker can cause an authenticated gym admin, manager, or trainer with sufficient scope to visit a crafted deactivation URL, disabling the target account without the operator's intentional action. Remediation should move deactivation to a POST-only view with CSRF validation and an explicit confirmation step; the sibling activation view should be fixed in the same way.
स्रोत⚠️ https://github.com/wger-project/wger/issues/2380
उपयोगकर्ता
 GalaxynC (UID 98975)
सबमिशन13/06/2026 01:11 PM (1 महीना पहले)
संयम18/07/2026 10:37 AM (1 month later)
स्थितिप्रतिलिपि
VulDB प्रविष्टि236497 [wger Workout Manager 2.2.0a3 User-Management Page gym/views/gym.py क्रॉस साइट रिक्वेस्ट फॉर्जरी]
अंक0

Want to know what is going to be exploited?

We predict KEV entries!