wger Workout and Fitness Manager Indirect Object Reference Vulnerability in Nutritional Values Endpoints

A vulnerability exists in wger Workout and Fitness Manager versions through 2.4, where three nutritional_values action endpoints allow authenticated users to access another user's private nutrition data. This is achieved by supplying an arbitrary primary key, which bypasses user-specific data restrictions. The endpoints directly use raw ORM calls that do not enforce object-level permissions, exposing sensitive information such as caloric intake and detailed macro breakdowns.

Impact

Exploitation of this vulnerability allows any authenticated user to access private dietary information of other users, including daily caloric intake, detailed macro nutrient breakdowns (protein, carbohydrates, fats, fiber, sodium), and full meal compositions with ingredient quantities. This exposure of sensitive health data violates user privacy expectations.

Reproduction

To reproduce this vulnerability, an authenticated user can send a GET request to one of the vulnerable nutritional_values endpoints, such as '/api/v2/nutritionplan/{pk}/nutritional_values/'. The request must include an authorization token for an authenticated user. By enumerating primary keys, it is possible to access private nutritional data from other users.

Remediation

Users can update to the latest version of wger, where this vulnerability has been fixed. Instructions for updating can be found in the wger documentation.