wger Stored Cross-Site Scripting Vulnerability via Unescaped License Attribution Fields

A stored cross-site scripting vulnerability has been identified in wger, a workout and fitness management application, in versions through 2.4. The issue arises in the AbstractLicenseModel, where the attribution_link property constructs HTML by directly interpolating user-controlled license fields without proper escaping. This unescaped HTML is rendered in templates using Django's safe filter, allowing authenticated users to inject JavaScript that executes in the browsers of anyone viewing the affected ingredient page. The vulnerability has been patched in version 2.5.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript executes in the context of the user viewing the ingredient page. This could lead to session hijacking, account takeover, data theft, and phishing.

Reproduction

To reproduce this vulnerability, an authenticated user can create an ingredient through the wger web application. During the creation process, the user should enter a license author value that includes a JavaScript payload, such as an image tag with an onerror event. Once the ingredient is saved, the XSS payload will execute when the ingredient page is viewed.

Remediation

Users can update to wger version 2.5 or later, where this vulnerability has been fixed.