漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data
Vulnerability Description
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` return all users' repetition config data because their `get_queryset()` calls `.all()` instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. Commit 1fda5690b35706bb137850c8a084ec6a13317b64 contains a fix for the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
通过用户控制密钥绕过授权机制
Vulnerability Title
wger 安全漏洞
Vulnerability Description
wger是wger Project开源的使用 Django 编写的自托管 FLOSS 健身/锻炼、营养和体重追踪器。 wger 2.4及之前版本存在安全漏洞,该漏洞源于查询集过滤不当,可能导致枚举其他用户数据。
CVSS Information
N/A
Vulnerability Type
N/A