CVE-2023-38759

Vulnerability

Overview

CVE-2023-38759 is a Cross-Site Request Forgery (CSRF) vulnerability in wger Workout Manager version 2.2.0a3. The application fails to include CSRF tokens in user-management forms, specifically in the gym/views/gym.py, core/views/user.py, and related templates. This allows an attacker to craft malicious requests that execute unauthorized actions on behalf of an authenticated user.[1][2]

Exploitation

An attacker can exploit this by tricking a logged-in user into visiting a crafted web page or clicking a malicious link. The vulnerable endpoints include /en/user/preferences, /en/gym/user/1/reset-user-password, and /en/user/password/reset/. No authentication other than the victim's existing session is required for the attacker to initiate the requests.[2]

Impact

Successful exploitation enables the attacker to change the victim's email address or reset their password, leading to full account compromise. The attacker can then exfiltrate sensitive data associated with the compromised account, such as workout logs, nutrition plans, and personal information.[2][4] This can result in privilege escalation within the application.

Mitigation

Users of wger Workout Manager should upgrade to a patched version beyond 2.2.0a3. The wger project recommends implementing proper CSRF tokens in all forms. As of this writing, no official patch has been released, but users can apply workarounds such as enabling same-site cookies or using a web application firewall (WAF) to mitigate the risk.[3][4]