Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14546 vulnerabilities reference this CWE, most recent first.

GHSA-XMXF-WJR9-RPWR

Vulnerability from github – Published: 2023-07-12 09:30 – Updated: 2024-04-04 06:02
VLAI
Details

In telephony service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-30929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-12T09:15:11Z",
    "severity": "HIGH"
  },
  "details": "In telephony service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges.",
  "id": "GHSA-xmxf-wjr9-rpwr",
  "modified": "2024-04-04T06:02:45Z",
  "published": "2023-07-12T09:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30929"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/1676902764208259073"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XP5G-JHG3-3RG2

Vulnerability from github – Published: 2023-05-22 00:30 – Updated: 2023-05-30 23:12
VLAI
Summary
Double spend in snarkjs
Details

iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "snarkjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.6.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-33252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-22T19:37:12Z",
    "nvd_published_at": "2023-05-21T22:15:14Z",
    "severity": "HIGH"
  },
  "details": "iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.",
  "id": "GHSA-xp5g-jhg3-3rg2",
  "modified": "2023-05-30T23:12:12Z",
  "published": "2023-05-22T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33252"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/iden3/snarkjs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/iden3/snarkjs/commits/master/src/groth16_verify.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/iden3/snarkjs/tags"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Double spend in snarkjs"
}

GHSA-XP77-G88W-H7MG

Vulnerability from github – Published: 2022-01-28 00:02 – Updated: 2026-05-18 15:30
VLAI
Details

Single Connect does not perform an authorization check when using the sc-reports-ui" module. A remote attacker could exploit this vulnerability to access the device configuration page and export the data to an external file. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information including the database credentials. Since the database runs with high privileges it is possible to execute commands with the attained credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-27T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Single Connect does not perform an authorization check when using the sc-reports-ui\" module. A remote attacker could exploit this vulnerability to access the device configuration page and export the data to an external file. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information including the database credentials. Since the database runs with high privileges it is possible to execute commands with the attained credentials.",
  "id": "GHSA-xp77-g88w-h7mg",
  "modified": "2026-05-18T15:30:31Z",
  "published": "2022-01-28T00:02:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44793"
    },
    {
      "type": "WEB",
      "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-22-0093"
    },
    {
      "type": "WEB",
      "url": "https://www.usom.gov.tr/bildirim/tr-22-0093"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XP82-R324-2W4V

Vulnerability from github – Published: 2025-04-29 09:31 – Updated: 2025-04-29 09:31
VLAI
Details

The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'secupress_reinstall_plugins_admin_ajax_cb' function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3452"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-29T09:15:16Z",
    "severity": "MODERATE"
  },
  "details": "The SecuPress Free \u2014 WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027secupress_reinstall_plugins_admin_ajax_cb\u0027 function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins.",
  "id": "GHSA-xp82-r324-2w4v",
  "modified": "2025-04-29T09:31:37Z",
  "published": "2025-04-29T09:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3452"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/secupress/trunk/free/modules/plugins-themes/tools.php#L686"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3283453"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9125873-aedd-4334-b8e0-74b67d301904?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPF8-P6C2-QCP9

Vulnerability from github – Published: 2026-06-16 12:32 – Updated: 2026-06-16 12:32
VLAI
Details

The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_pay_for_order() function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the wc_stripe_pay_for_order WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to "failed" via sequential order ID enumeration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2381"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-16T10:16:26Z",
    "severity": "MODERATE"
  },
  "details": "The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to \"failed\" via sequential order ID enumeration.",
  "id": "GHSA-xpf8-p6c2-qcp9",
  "modified": "2026-06-16T12:32:01Z",
  "published": "2026-06-16T12:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2381"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woocommerce-gateway-stripe/tags/10.3.1/includes/class-wc-gateway-stripe.php#L523"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/woocommerce-gateway-stripe/tags/10.3.1/includes/payment-methods/class-wc-stripe-express-checkout-ajax-handler.php#L355"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3564842/woocommerce-gateway-stripe/trunk/includes/payment-methods/class-wc-stripe-express-checkout-ajax-handler.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fwoocommerce-gateway-stripe/tags/10.7.0\u0026new_path=%2Fwoocommerce-gateway-stripe/tags/10.8.0"
    },
    {
      "type": "WEB",
      "url": "https://research.cleantalk.org/cve-2026-2381"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ab3b52f7-e2c3-44f7-8e19-b6c51ccd50e0?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPGC-7VC2-8725

Vulnerability from github – Published: 2026-05-22 00:31 – Updated: 2026-06-24 21:07
VLAI
Summary
Concrete CMS is vulnerable to IDOR
Details

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The /ccm/frontend/conversations/message_detail endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "concrete5/concrete5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-8237"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-24T21:07:30Z",
    "nvd_published_at": "2026-05-21T22:16:49Z",
    "severity": "MODERATE"
  },
  "details": "Concrete CMS 9.5.0 and below is vulnerable to IDOR.\u00a0The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed.",
  "id": "GHSA-xpgc-7vc2-8725",
  "modified": "2026-06-24T21:07:30Z",
  "published": "2026-05-22T00:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8237"
    },
    {
      "type": "WEB",
      "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/concretecms/concretecms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Concrete CMS is vulnerable to IDOR"
}

GHSA-XPH3-VJCQ-G488

Vulnerability from github – Published: 2023-08-02 12:30 – Updated: 2025-08-08 21:12
VLAI
Summary
Liferay Portal and Liferay DXP Organization Selector Does Not Check User Permissions
Details

The organization selector before 4.0.14 from Liferay Portal (7.4.3.81 through 7.4.3.85), and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay:com.liferay.organizations.item.selector.web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.dxp.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.4.143.u81"
            },
            {
              "last_affected": "7.4.143.u85"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-3426"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-425",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-08T21:12:51Z",
    "nvd_published_at": "2023-08-02T10:15:09Z",
    "severity": "MODERATE"
  },
  "details": "The organization selector before 4.0.14 from Liferay Portal (7.4.3.81 through 7.4.3.85), and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.",
  "id": "GHSA-xph3-vjcq-g488",
  "modified": "2025-08-08T21:12:51Z",
  "published": "2023-08-02T12:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3426"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/b410f40233394d1d3d1076189befd4b33ba9fb47"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-3426"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Liferay Portal and Liferay DXP Organization Selector Does Not Check User Permissions "
}

GHSA-XPJH-VMFM-8QMF

Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-01-28 15:31
VLAI
Details

An authentication issue was addressed with improved state management. This issue is fixed in Safari 18.2, macOS Sequoia 15.2, watchOS 11.2, iOS 18.2 and iPadOS 18.2. Private Browsing tabs may be accessed without authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54542"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-27T22:15:14Z",
    "severity": "HIGH"
  },
  "details": "An authentication issue was addressed with improved state management. This issue is fixed in Safari 18.2, macOS Sequoia 15.2, watchOS 11.2, iOS 18.2 and iPadOS 18.2. Private Browsing tabs may be accessed without authentication.",
  "id": "GHSA-xpjh-vmfm-8qmf",
  "modified": "2025-01-28T15:31:56Z",
  "published": "2025-01-28T00:32:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54542"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121837"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121839"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121843"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/121846"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPPM-25H7-QF3Q

Vulnerability from github – Published: 2025-10-27 03:30 – Updated: 2026-01-20 15:31
VLAI
Details

Missing Authorization vulnerability in Codeinwp Revive Old Posts tweet-old-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive Old Posts: from n/a through <= 9.3.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-62954"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-27T02:15:55Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in Codeinwp Revive Old Posts tweet-old-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive Old Posts: from n/a through \u003c= 9.3.3.",
  "id": "GHSA-xppm-25h7-qf3q",
  "modified": "2026-01-20T15:31:36Z",
  "published": "2025-10-27T03:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62954"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/tweet-old-post/vulnerability/wordpress-revive-old-posts-plugin-9-3-3-broken-access-control-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/tweet-old-post/vulnerability/wordpress-revive-old-posts-plugin-9-3-3-broken-access-control-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/tweet-old-post/vulnerability/wordpress-revive-old-posts-plugin-9-3-3-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XPPV-4JRX-QF8M

Vulnerability from github – Published: 2026-04-16 01:35 – Updated: 2026-04-24 20:51
VLAI
Summary
wger has Broken Access Control in Global Gym Configuration Update Endpoint
Details

Summary

wger exposes a global configuration edit endpoint at /config/gym-config/edit implemented by GymConfigUpdateView. The view declares permission_required = 'config.change_gymconfig' but does not enforce it because it inherits WgerFormMixin (ownership-only checks) instead of the project’s permission-enforcing mixin (WgerPermissionMixin) .

The edited object is a singleton (GymConfig(pk=1)) and the model does not implement get_owner_object(), so WgerFormMixin skips ownership enforcement. As a result, a low-privileged authenticated user can modify installation-wide configuration and trigger server-side side effects in GymConfig.save().

This is a vertical privilege escalation from a regular user to privileged global configuration control. The application explicitly declares permission_required = 'config.change_gymconfig', demonstrating that the action is intended to be restricted; however, this requirement is never enforced at runtime.

Affected endpoint

The config URLs map as follows.

File: wger/config/urls.py

patterns_gym_config = [
    path('edit', gym_config.GymConfigUpdateView.as_view(), name='edit'),
]

urlpatterns = [
    path(
        'gym-config/',
        include((patterns_gym_config, 'gym_config'), namespace='gym_config'),
    ),
]

This resolves to:

/config/gym-config/edit

Root cause

The view declares a permission but does not enforce it

File: wger/config/views/gym_config.py

class GymConfigUpdateView(WgerFormMixin, UpdateView):
    model = GymConfig
    fields = ('default_gym',)
    permission_required = 'config.change_gymconfig'
    success_url = reverse_lazy('gym:gym:list')
    title = gettext_lazy('Edit')

    def get_object(self):
        return GymConfig.objects.get(pk=1)

The permission string exists, but WgerFormMixin does not check permission_required.

The project’s permission mixin exists but is not used

File: wger/utils/generic_views.py

class WgerPermissionMixin:
    permission_required = False
    login_required = False

    def dispatch(self, request, *args, **kwargs):
        if self.login_required or self.permission_required:
            if not request.user.is_authenticated:
                return HttpResponseRedirect(
                    reverse_lazy('core:user:login') + f'?next={request.path}'
                )

            if self.permission_required:
                has_permission = False
                if isinstance(self.permission_required, tuple):
                    for permission in self.permission_required:
                        if request.user.has_perm(permission):
                            has_permission = True
                elif request.user.has_perm(self.permission_required):
                    has_permission = True

                if not has_permission:
                    return HttpResponseForbidden('You are not allowed to access this object')

        return super(WgerPermissionMixin, self).dispatch(request, *args, **kwargs)

GymConfigUpdateView does not inherit this mixin, so none of the login/permission logic runs.

The mixin that is used performs only ownership checks, and GymConfig has no owner

File: wger/utils/generic_views.py

class WgerFormMixin(ModelFormMixin):
    def dispatch(self, request, *args, **kwargs):
        self.kwargs = kwargs
        self.request = request

        if self.owner_object:
            owner_object = self.owner_object['class'].objects.get(pk=kwargs[self.owner_object['pk']])
        else:
            try:
                owner_object = self.get_object().get_owner_object()
            except AttributeError:
                owner_object = False

        if owner_object and owner_object.user != self.request.user:
            return HttpResponseForbidden('You are not allowed to access this object')

        return super(WgerFormMixin, self).dispatch(request, *args, **kwargs)

File: wger/config/models/gym_config.py

class GymConfig(models.Model):
    default_gym = models.ForeignKey(
        Gym,
        verbose_name=_('Default gym'),
        # ...
        null=True,
        blank=True,
        on_delete=models.CASCADE,
    )
    # No get_owner_object() method

Because GymConfig does not implement get_owner_object(), WgerFormMixin catches AttributeError and sets owner_object = False, skipping any access restriction.

Security impact

This is not a cosmetic setting: GymConfig.save() performs installation-wide side effects.

File: wger/config/models/gym_config.py

def save(self, *args, **kwargs):
    if self.default_gym:
        UserProfile.objects.filter(gym=None).update(gym=self.default_gym)

        for profile in UserProfile.objects.filter(gym=self.default_gym):
            user = profile.user
            if not is_any_gym_admin(user):
                try:
                    user.gymuserconfig
                except GymUserConfig.DoesNotExist:
                    config = GymUserConfig()
                    config.gym = self.default_gym
                    config.user = user
                    config.save()

    return super(GymConfig, self).save(*args, **kwargs)

On deployments with multiple gyms, this allows a low-privileged user to tamper with tenant assignment defaults, affecting new registrations and bulk-updating existing users lacking a gym. This permits unauthorized modification of installation-wide state and bulk updates to other users’ records, violating the intended administrative trust boundary.

Proof of concept (local verification)

Environment: local docker compose stack, accessed via http://127.0.0.1:8088/en/.

Observed behavior

An unauthenticated user can reach the endpoint via GET; POST requires authentication and redirects to login. An authenticated low-privileged user can submit the form and change the global singleton. After the save, the application redirects to success_url = reverse_lazy('gym:gym:list') (e.g. /en/gym/list), which is permission-protected; therefore the browser may display a “Forbidden” page even though the global update already succeeded.

DB evidence (before/after)

Before submission:

default_gym_id= None
profiles_gym_null= 1

After a low-privileged user submitted the form setting default_gym to gym id 1:

default_gym_id= 1
profiles_gym_null= 0

Recommended fix

Ensure permission enforcement runs before the form dispatch.

Using the project mixin (order matters):

class GymConfigUpdateView(WgerPermissionMixin, WgerFormMixin, UpdateView):
    permission_required = 'config.change_gymconfig'
    login_required = True

Alternatively, use Django’s PermissionRequiredMixin (and LoginRequiredMixin) directly.

Conclusion

The view explicitly declares permission_required = 'config.change_gymconfig', which demonstrates developer intent that this action be restricted. The fact that it is not enforced constitutes improper access control regardless of perceived business impact.

Screenshot 2026-02-27 230752

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wger"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40474"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T01:35:16Z",
    "nvd_published_at": "2026-04-17T22:16:33Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nwger exposes a global configuration edit endpoint at `/config/gym-config/edit` implemented by `GymConfigUpdateView`. The view declares `permission_required = \u0027config.change_gymconfig\u0027` but does not enforce it because it inherits `WgerFormMixin` (ownership-only checks) instead of the project\u2019s permission-enforcing mixin (`WgerPermissionMixin`) .\n\nThe edited object is a singleton (`GymConfig(pk=1)`) and the model does not implement `get_owner_object()`, so `WgerFormMixin` skips ownership enforcement. As a result, a low-privileged authenticated user can modify installation-wide configuration and trigger server-side side effects in `GymConfig.save()`.\n\nThis is a vertical privilege escalation from a regular user to privileged global configuration control.\nThe application explicitly declares permission_required = \u0027config.change_gymconfig\u0027, demonstrating that the action is intended to be restricted; however, this requirement is never enforced at runtime.\n\n## Affected endpoint\n\nThe config URLs map as follows.\n\nFile: `wger/config/urls.py`\n\n```python\npatterns_gym_config = [\n    path(\u0027edit\u0027, gym_config.GymConfigUpdateView.as_view(), name=\u0027edit\u0027),\n]\n\nurlpatterns = [\n    path(\n        \u0027gym-config/\u0027,\n        include((patterns_gym_config, \u0027gym_config\u0027), namespace=\u0027gym_config\u0027),\n    ),\n]\n```\n\nThis resolves to:\n\n`/config/gym-config/edit`\n\n## Root cause\n\n### The view declares a permission but does not enforce it\n\nFile: `wger/config/views/gym_config.py`\n\n```python\nclass GymConfigUpdateView(WgerFormMixin, UpdateView):\n    model = GymConfig\n    fields = (\u0027default_gym\u0027,)\n    permission_required = \u0027config.change_gymconfig\u0027\n    success_url = reverse_lazy(\u0027gym:gym:list\u0027)\n    title = gettext_lazy(\u0027Edit\u0027)\n\n    def get_object(self):\n        return GymConfig.objects.get(pk=1)\n```\n\nThe permission string exists, but `WgerFormMixin` does not check `permission_required`.\n\n### The project\u2019s permission mixin exists but is not used\n\nFile: `wger/utils/generic_views.py`\n\n```python\nclass WgerPermissionMixin:\n    permission_required = False\n    login_required = False\n\n    def dispatch(self, request, *args, **kwargs):\n        if self.login_required or self.permission_required:\n            if not request.user.is_authenticated:\n                return HttpResponseRedirect(\n                    reverse_lazy(\u0027core:user:login\u0027) + f\u0027?next={request.path}\u0027\n                )\n\n            if self.permission_required:\n                has_permission = False\n                if isinstance(self.permission_required, tuple):\n                    for permission in self.permission_required:\n                        if request.user.has_perm(permission):\n                            has_permission = True\n                elif request.user.has_perm(self.permission_required):\n                    has_permission = True\n\n                if not has_permission:\n                    return HttpResponseForbidden(\u0027You are not allowed to access this object\u0027)\n\n        return super(WgerPermissionMixin, self).dispatch(request, *args, **kwargs)\n```\n\n`GymConfigUpdateView` does not inherit this mixin, so none of the login/permission logic runs.\n\n### The mixin that *is* used performs only ownership checks, and `GymConfig` has no owner\n\nFile: `wger/utils/generic_views.py`\n\n```python\nclass WgerFormMixin(ModelFormMixin):\n    def dispatch(self, request, *args, **kwargs):\n        self.kwargs = kwargs\n        self.request = request\n\n        if self.owner_object:\n            owner_object = self.owner_object[\u0027class\u0027].objects.get(pk=kwargs[self.owner_object[\u0027pk\u0027]])\n        else:\n            try:\n                owner_object = self.get_object().get_owner_object()\n            except AttributeError:\n                owner_object = False\n\n        if owner_object and owner_object.user != self.request.user:\n            return HttpResponseForbidden(\u0027You are not allowed to access this object\u0027)\n\n        return super(WgerFormMixin, self).dispatch(request, *args, **kwargs)\n```\n\nFile: `wger/config/models/gym_config.py`\n\n```python\nclass GymConfig(models.Model):\n    default_gym = models.ForeignKey(\n        Gym,\n        verbose_name=_(\u0027Default gym\u0027),\n        # ...\n        null=True,\n        blank=True,\n        on_delete=models.CASCADE,\n    )\n    # No get_owner_object() method\n```\n\nBecause `GymConfig` does not implement `get_owner_object()`, `WgerFormMixin` catches `AttributeError` and sets `owner_object = False`, skipping any access restriction.\n\n## Security impact\n\nThis is not a cosmetic setting: `GymConfig.save()` performs installation-wide side effects.\n\nFile: `wger/config/models/gym_config.py`\n\n```python\ndef save(self, *args, **kwargs):\n    if self.default_gym:\n        UserProfile.objects.filter(gym=None).update(gym=self.default_gym)\n\n        for profile in UserProfile.objects.filter(gym=self.default_gym):\n            user = profile.user\n            if not is_any_gym_admin(user):\n                try:\n                    user.gymuserconfig\n                except GymUserConfig.DoesNotExist:\n                    config = GymUserConfig()\n                    config.gym = self.default_gym\n                    config.user = user\n                    config.save()\n\n    return super(GymConfig, self).save(*args, **kwargs)\n```\n\nOn deployments with multiple gyms, this allows a low-privileged user to tamper with tenant assignment defaults, affecting new registrations and bulk-updating existing users lacking a gym. This permits unauthorized modification of installation-wide state and bulk updates to other users\u2019 records, violating the intended administrative trust boundary.\n\n## Proof of concept (local verification)\n\nEnvironment: local docker compose stack, accessed via `http://127.0.0.1:8088/en/`.\n\n### Observed behavior\n\nAn unauthenticated user can reach the endpoint via GET; POST requires authentication and redirects to login.\nAn authenticated low-privileged user can submit the form and change the global singleton. After the save, the application redirects to `success_url = reverse_lazy(\u0027gym:gym:list\u0027)` (e.g. `/en/gym/list`), which is permission-protected; therefore the browser may display a \u201cForbidden\u201d page even though the global update already succeeded.\n\n### DB evidence (before/after)\n\nBefore submission:\n\n```bash\ndefault_gym_id= None\nprofiles_gym_null= 1\n```\n\nAfter a low-privileged user submitted the form setting `default_gym` to gym id `1`:\n\n```bash\ndefault_gym_id= 1\nprofiles_gym_null= 0\n```\n\n## Recommended fix\n\nEnsure permission enforcement runs before the form dispatch.\n\nUsing the project mixin (order matters):\n\n```python\nclass GymConfigUpdateView(WgerPermissionMixin, WgerFormMixin, UpdateView):\n    permission_required = \u0027config.change_gymconfig\u0027\n    login_required = True\n```\n\nAlternatively, use Django\u2019s `PermissionRequiredMixin` (and `LoginRequiredMixin`) directly.\n\n## Conclusion \n\nThe view explicitly declares permission_required = \u0027config.change_gymconfig\u0027, which demonstrates developer intent that this action be restricted. The fact that it is not enforced constitutes improper access control regardless of perceived business impact.\n\n\u003cimg width=\"1912\" height=\"578\" alt=\"Screenshot 2026-02-27 230752\" src=\"https://github.com/user-attachments/assets/c627b404-6d9c-4477-88bd-f867d0fa09d2\" /\u003e",
  "id": "GHSA-xppv-4jrx-qf8m",
  "modified": "2026-04-24T20:51:15Z",
  "published": "2026-04-16T01:35:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wger-project/wger/security/advisories/GHSA-xppv-4jrx-qf8m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40474"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wger-project/wger/commit/47ee5af93b3ced24b9f94b0a8b9296b50bc9523f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wger-project/wger"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wger-project/wger/releases/tag/2.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "wger has Broken Access Control in Global Gym Configuration Update Endpoint"
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.