Can you explain this vulnerability to me?

The vulnerability exists in wger, a free, open-source workout and fitness manager, in versions up to and including 2.4. Specifically, the `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` components return all users' repetition configuration data because their `get_queryset()` methods call `.all()` instead of filtering the data by the authenticated user. This means that any registered user can access and enumerate the workout structure data of every other user.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows any registered user to view the repetition configuration data of all other users. As a result, sensitive or private workout structure information can be exposed without authorization. While it does not allow modification or deletion, the unauthorized disclosure of user-specific workout data could lead to privacy concerns or misuse of personal fitness information.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update wger to a version that includes the fix from commit 1fda5690b35706bb137850c8a084ec6a13317b64 or later.

The issue is caused by the `RepetitionsConfigViewSet` and `MaxRepetitionsConfigViewSet` returning all users' repetition config data without filtering by the authenticated user. Applying the fix ensures that only the authenticated user's data is returned.

Useful 0 Not Useful 0