제출 #857933: wger-project wger 2.6.0-alpha2 / master branch at commit ea7844731f7e3fe5865c327c1f93f5f4a76dde75 CWE-352 Cross-Site Request Forgery / CWE-749 Exposed Dangerous M정보

제목wger-project wger 2.6.0-alpha2 / master branch at commit ea7844731f7e3fe5865c327c1f93f5f4a76dde75 CWE-352 Cross-Site Request Forgery / CWE-749 Exposed Dangerous M
설명wger's gym user password reset view performs a security-sensitive account action on any HTTP method, including GET. The route `user/<int:user_pk>/reset-user-password` calls `reset_user_password()`, which checks that the requester is authenticated and has gym-management permissions, then generates a new password, calls `user.set_password(password)`, saves the target user, and renders the generated password. Because the view does not require POST and Django CSRF protection does not apply to GET requests, an attacker can cause an authenticated gym manager's browser to request a crafted reset URL for a user in scope. The target user's old password is invalidated without deliberate confirmation, causing account lockout and exposing the generated replacement password in the manager's browser response. Remediation should require POST with CSRF validation and an explicit confirmation step.
원천⚠️ https://github.com/wger-project/wger/issues/2380
사용자
 GalaxynC (UID 98975)
제출2026. 06. 13. PM 01:10 (1 월 ago)
모더레이션2026. 07. 18. AM 10:37 (1 month later)
상태중복
VulDB 항목236497 [wger Workout Manager 2.2.0a3 User-Management Page gym/views/gym.py 교차 사이트 요청 위조]
포인트들0

Do you need the next level of professionalism?

Upgrade your account now!