wger Workout Manager Broken Object-Level Authorization Vulnerability in Repetition Config API

A broken object-level authorization vulnerability has been identified in the wger workout and fitness manager, specifically in versions through 2.4. The issue arises in the RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet, where the get_queryset() method retrieves all users' repetition configuration data without filtering for the authenticated user. This oversight allows any registered user to access and enumerate the workout structures of all other users. The vulnerability exposes detailed workout information, including slot entry IDs, iteration values, operations, step counts, repeat flags, and requirements JSON.

Impact

Exploitation of this vulnerability allows any authenticated user to access other users' repetition and max-repetition configurations, thereby exposing their workout structures. This constitutes a broken object-level authorization vulnerability, similar to the issues described in OWASP API Security Top 10.

Reproduction

To reproduce this vulnerability, send a GET request to the '/api/v2/repetitions-config/' or '/api/v2/max-repetitions-config/' endpoints using an authorization token for a registered user. The response will include all users' repetition or max-repetition configurations, not just those of the authenticated user.

Remediation

The vulnerability has been fixed in commit 1fda5690b35706bb137850c8a084ec6a13317b64, which adds the necessary user filtering to the queryset methods of the affected viewsets.