CVE-2023-38759
📋 TL;DR
This CSRF vulnerability in wger Workout Manager allows attackers to trick authenticated users into performing unintended actions, such as resetting passwords or changing user privileges. It affects administrators and users of wger 2.2.0a3 who access the web interface. Attackers can exploit this to gain unauthorized access or escalate privileges.
💻 Affected Systems
- wger Workout Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access, reset all user passwords, take full control of the workout management system, and potentially access sensitive user data.
Likely Case
Attackers reset specific user passwords to gain unauthorized access, modify user privileges, or perform actions on behalf of authenticated users.
If Mitigated
With proper CSRF protections, requests would be rejected without valid tokens, preventing unauthorized actions even if users are tricked into clicking malicious links.
🎯 Exploit Status
Exploitation requires tricking authenticated users into visiting malicious web pages. CSRF attacks are well-understood and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check wger project updates for versions after 2.2.0a3
Vendor Advisory: https://wger.de
Restart Required: Yes
Instructions:
1. Update wger Workout Manager to latest patched version. 2. Restart the application server. 3. Verify CSRF tokens are properly implemented in affected components.
🔧 Temporary Workarounds
Implement CSRF Protection Middleware
allAdd CSRF token validation to all state-changing requests in affected components
Configure Django CSRF middleware if using Django framework
Add @csrf_protect decorators to vulnerable views
Restrict User Management Access
linuxLimit access to user management features to specific IP addresses or networks
Configure web server (e.g., nginx, Apache) to restrict /gym/ and /user/ paths
Use firewall rules to limit access to management interfaces
🧯 If You Can't Patch
- Implement strict SameSite cookie policies and require re-authentication for sensitive actions
- Monitor for unusual password reset or privilege change activities in application logs
🔍 How to Verify
Check if Vulnerable:
Check if wger version is 2.2.0a3 and examine if CSRF tokens are missing in gym/views/gym.py, templates/gym/reset_user_password.html, templates/user/overview.html, core/views/user.py, templates/user/preferences.html, and core/forms.pyCheck Version:
Check wger version in settings or via package manager: pip show wger or check project version fileVerify Fix Applied:
Verify that all POST requests in affected components include and validate CSRF tokens, and test that CSRF attacks are blocked📡 Detection & Monitoring
Log Indicators:
- Multiple password reset requests from same IP
- User privilege changes without corresponding admin actions
- POST requests to /gym/ or /user/ endpoints without Referer headers or CSRF tokens
Network Indicators:
- HTTP requests with missing CSRF tokens in affected endpoints
- Unusual cross-origin requests to user management features
SIEM Query:
source="wger_logs" AND (url_path="/gym/reset_user_password" OR url_path="/user/overview") AND csrf_token=""