CVE-2023-38759

HIGH

wger Project wger Workout Manager 2.2.0a3 - CSRF

Title source: llm

Description

Cross Site Request Forgery (CSRF) vulnerability in wger Project wger Workout Manager 2.2.0a3 allows a remote attacker to gain privileges via the user-management feature in the gym/views/gym.py, templates/gym/reset_user_password.html, templates/user/overview.html, core/views/user.py, and templates/user/preferences.html, core/forms.py components.

References (2)

Core 2

Core References

Third Party Advisory

https://github.com/0x72303074/CVE-Disclosures

View Writeup ZIP pw:eip

Product

https://wger.de

Scores

CVSS v3 8.8

EPSS 0.0042

EPSS Percentile 62.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-352

Status published

Products (2)

pypi/wger 0PyPI

wger/workout_manager 2.2.0 a3

Published Aug 08, 2023

Tracked Since Feb 18, 2026