CVE-2024-53272

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-53272
Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The `login` and `social media` function in `RegisterLoginReset.vue` contains two reflected XSS vulnerabilities due to an incorrect sanitization function. An attacker can specify a malicious `redirectTo` parameter to trigger the vulnerability, giving the attacker control of the victim’s account when a victim registers or logins with a specially crafted link. Version 5.28.5 contains a patch.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/HabitRPG/habitica/commit/946ade5da1f52a804ef2ba76d49416c43e8166bf Patch
https://securitylab.github.com/advisories/GHSL-2024-109_GHSL-2024-111_habitica/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:habitica:habitica:*:*:*:*:*:*:*:*
History

No history.

Information

Published : 2024-12-12 02:15

Updated : 2025-09-05 21:38

NVD link : CVE-2024-53272

Mitre link : CVE-2024-53272

CVE.ORG link : CVE-2024-53272

JSON object : View

Products Affected

habitica

  • habitica
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')