Lucene search
K

7 matches found

Snyk
Snyk
added 2026/02/27 12:16 a.m.2 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the getqueryset function in the RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet process. An attacker can access other users' workout configuration data by sending authenticat...

5.3CVSS6AI score0.00257EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/02/26 10:13 p.m.12 views

wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data

Summary RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. Details...

4.3CVSS5.5AI score0.00257EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/02/26 10:13 p.m.2 views

GHSA-XF68-8HJW-7MPM wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data

Summary RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. Details...

4.3CVSS5.6AI score0.00257EPSS
Exploits1References4
OSV
OSV
added 2026/02/26 10:0 p.m.6 views

CVE-2026-27835 wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user...

4.3CVSS5.8AI score0.00257EPSS
Exploits1References4
CVE
CVE
added 2026/02/26 10:0 p.m.25 views

CVE-2026-27835

Issue summary. CVE-2026-27835 affects wger (versions up to 2.4). The vulnerable components are RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet, whose get_queryset() returns all objects (using .all()) instead of filtering by the authenticated user, enabling an authenticated user to enumer...

4.3CVSS5.3AI score0.00257EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/26 12:0 a.m.13 views

PT-2026-22203

Name of the Vulnerable Software and Affected Versions wger versions prior to 2.4 Description wger is a free, open-source workout and fitness manager. Versions up to and including 2.4 improperly handle user data retrieval. The RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet API endpoints...

4.3CVSS5.9AI score0.00257EPSS
Exploits1References6
Tenable Nessus
Tenable Nessus
added 2007/11/09 12:0 a.m.234 views

SNMP GETBULK Large max-repetitions Remote DoS

It is possible to disable the remote SNMP daemon by sending a GETBULK request with a large value for 'max-repetitions'. A remote attacker may be able to leverage this issue to cause the daemon to consume excessive memory and CPU on the affected system while it tries unsuccessfully to process the...

7.8CVSS7.7AI score0.28966EPSS
Exploits1References3
Rows per page
Query Builder