wger Workout Manager Cross-Tenant Password Reset Vulnerability Allowing Account Takeover

A critical vulnerability in wger workout and fitness manager, affecting versions through 2.5.0, allows for unauthorized password resets and account takeovers. The issue arises in the 'reset_user_password' and 'gym_permissions_user_edit' views, where gym-scope authorization checks incorrectly evaluate 'None' values. This flaw enables users with 'gym.manage_gym' permission and no gym assignment to reset the passwords of other users with the same gym status. The new plaintext password is disclosed in the response, facilitating immediate account access while locking out the original user by invalidating their password.

Impact

Exploitation of this vulnerability allows a user with 'gym.manage_gym' permission and 'gym=None' to reset the password of any other 'gym=None' user, receive the new password in plaintext, log in as the victim, and permanently lock them out by invalidating their original password.

Reproduction

To reproduce this vulnerability, log in as a trainer with 'gym.manage_gym' permission and no gym assignment. Then, send a request to the password reset endpoint for another user with the same gym status. The response will include the new plaintext password, which can be used to log in as that user, effectively taking over their account.

Remediation

Users are advised to update to wger version 2.6 or later, where this vulnerability has been fixed.