CVE-2024-53272

Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The `login` and `social media` function in `RegisterLoginReset.vue` contains two reflected XSS vulnerabilities due to an incorrect sanitization function. An attacker can specify a malicious `redirectTo` parameter to trigger the vulnerability, giving the attacker control of the victims account when a victim registers or logins with a specially crafted link. Version 5.28.5 contains a patch.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
GitHub_MCNA
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Common Weakness Enumeration
References
https://github.com/HabitRPG/habitica/commit/946ade5da1f52a804ef2ba76d49416c43e8166bf
https://securitylab.github.com/advisories/GHSL-2024-109_GHSL-2024-111_habitica/