提交 #857933: wger-project wger 2.6.0-alpha2 / master branch at commit ea7844731f7e3fe5865c327c1f93f5f4a76dde75 CWE-352 Cross-Site Request Forgery / CWE-749 Exposed Dangerous M信息

标题wger-project wger 2.6.0-alpha2 / master branch at commit ea7844731f7e3fe5865c327c1f93f5f4a76dde75 CWE-352 Cross-Site Request Forgery / CWE-749 Exposed Dangerous M
描述wger's gym user password reset view performs a security-sensitive account action on any HTTP method, including GET. The route `user/<int:user_pk>/reset-user-password` calls `reset_user_password()`, which checks that the requester is authenticated and has gym-management permissions, then generates a new password, calls `user.set_password(password)`, saves the target user, and renders the generated password. Because the view does not require POST and Django CSRF protection does not apply to GET requests, an attacker can cause an authenticated gym manager's browser to request a crafted reset URL for a user in scope. The target user's old password is invalidated without deliberate confirmation, causing account lockout and exposing the generated replacement password in the manager's browser response. Remediation should require POST with CSRF validation and an explicit confirmation step.
来源⚠️ https://github.com/wger-project/wger/issues/2380
用户
 GalaxynC (UID 98975)
提交2026-06-13 13時10分 (1 月前)
管理2026-07-18 10時37分 (1 month later)
状态重复
VulDB条目236497 [wger Workout Manager 2.2.0a3 User-Management Page gym/views/gym.py 跨网站请求伪造]
积分0

Do you know our Splunk app?

Download it now for free!