wger: Stored XSS via Unescaped License Attribution Fields

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields (such as license_author) without escaping, and templates render the result using Django's |safe filter. An authenticated user can create an ingredient with a malicious license_author value containing JavaScript, which executes in the browser of any visitor viewing the ingredient page, resulting in stored XSS. This issue has been fixed in version 2.5.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

wger 安全漏洞

wger是wger Project开源的使用 Django 编写的自托管 FLOSS 健身/锻炼、营养和体重追踪器。 wger 2.5及之前版本存在安全漏洞，该漏洞源于AbstractLicenseModel中的attribution_link属性通过直接插值用户控制的许可证字段构建HTML且未转义，模板使用|safe过滤器渲染结果，可能导致经过身份验证的用户创建包含JavaScript的恶意license_author值，在访问者查看成分页面时执行存储型跨站脚本。

N/A

N/A