CVE-2023-38758

The vulnerability is a stored cross-site scripting (XSS) issue in the wger Workout Manager, version 2.2.0a3. The root cause is improper sanitization of the license_author field when adding an ingredient via the /en/nutrition/ingredient/add/ endpoint. The flaw affects components such as templates/ingredients/view.html, models/ingredients.py, and views/ingredients.py, allowing arbitrary HTML or JavaScript to be stored and later rendered to other users [1][2].

An attacker can exploit this vulnerability by submitting a crafted payload in the license_author parameter through the add-ingredient function. No authentication is explicitly required to reach the ingredient submission endpoint, and the attack can be performed remotely. The injected script becomes part of the ingredient's data and is executed in the context of the victim's browser when the ingredient page is viewed [2].

Successful exploitation enables an attacker to execute arbitrary web script or HTML in the context of any user who views the malicious ingredient. This can lead to session hijacking, credential theft, or other client-side attacks, effectively allowing privilege escalation within the application [1][2].

As of the advisory publication (August 2023), the issue was present in version 2.2.0a3. Users should check for updates or patches from the project's official repository, as the vulnerability has been documented in the PyPA advisory database [4]. The wger project is actively maintained, and upgrading to a fixed version is strongly recommended [3].