7 matches found
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the getqueryset function in the RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet process. An attacker can access other users' workout configuration data by sending authenticat...
wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data
Summary RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. Details...
GHSA-XF68-8HJW-7MPM wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data
Summary RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. Details...
CVE-2026-27835 wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data
wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user...
CVE-2026-27835
Issue summary. CVE-2026-27835 affects wger (versions up to 2.4). The vulnerable components are RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet, whose get_queryset() returns all objects (using .all()) instead of filtering by the authenticated user, enabling an authenticated user to enumer...
PT-2026-22203
Name of the Vulnerable Software and Affected Versions wger versions prior to 2.4 Description wger is a free, open-source workout and fitness manager. Versions up to and including 2.4 improperly handle user data retrieval. The RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet API endpoints...
SNMP GETBULK Large max-repetitions Remote DoS
It is possible to disable the remote SNMP daemon by sending a GETBULK request with a large value for 'max-repetitions'. A remote attacker may be able to leverage this issue to cause the daemon to consume excessive memory and CPU on the affected system while it tries unsuccessfully to process the...