CVE-2024-53273

Name of the Vulnerable Software and Affected Versions Habitica versions prior to 5.28.5

Description Habitica is an open-source habit-building program. The issue arises from a reflected cross-site scripting vulnerability due to an incorrect sanitization function in the register function within RegisterLoginReset.vue. An attacker can specify a malicious redirectTo parameter to trigger the vulnerability, potentially giving the attacker control of the victim's account when the victim registers or logs in with a specially crafted link.

Recommendations For versions prior to 5.28.5, update to version 5.28.5 to resolve the issue. As a temporary workaround, consider restricting access to the register function in RegisterLoginReset.vue until the patch is applied. Avoid using malicious redirectTo parameters in the affected API endpoint until the issue is resolved.