CVE-2024-53272

Name of the Vulnerable Software and Affected Versions Habitica versions prior to 5.28.5

Description Habitica is an open-source habit-building program. The issue concerns reflected cross-site scripting vulnerabilities in the login and social media functions within RegisterLoginReset.vue, caused by an incorrect sanitization function. An attacker can exploit this by specifying a malicious redirectTo parameter, potentially giving them control of a victim's account when the victim registers or logs in with a specially crafted link.

Recommendations For versions prior to 5.28.5, update to version 5.28.5 to resolve the issue. As a temporary workaround, consider restricting access to the login and social media functions in RegisterLoginReset.vue until the update can be applied. Additionally, avoid using the redirectTo parameter in affected links until the issue is resolved.