CVE-2024-53272

Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The `login` and `social media` function in `RegisterLoginReset.vue` contains two reflected XSS vulnerabilities due to an incorrect sanitization function. An attacker can specify a malicious `redirectTo` parameter to trigger the vulnerability, giving the attacker control of the victim’s account when a victim registers or logins with a specially crafted link. Version 5.28.5 contains a patch.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/HabitRPG/habitica/commit/946ade5da1f52a804ef2ba76d49416c43e8166bf	Patch
https://securitylab.github.com/advisories/GHSL-2024-109_GHSL-2024-111_habitica/	Third Party Advisory Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:habitica:habitica:*:*:*:*:*:*:*:*

History

05 Sep 2025, 21:38

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
First Time		Habitica habitica Habitica
CPE		cpe:2.3:a:habitica:habitica::::::::
Summary		(es) Habitica es un programa de código abierto para generar hábitos. Las versiones anteriores a la 5.28.5 son vulnerables a ataques de Cross-Site Scripting reflejado. Las funciones `login` y `social media` en `RegisterLoginReset.vue` contienen dos vulnerabilidades de XSS reflejado debido a una función de desinfección incorrecta. Un atacante puede especificar un parámetro `redirectTo` malicioso para activar la vulnerabilidad, lo que le otorga al atacante el control de la cuenta de la víctima cuando esta se registra o inicia sesión con un enlace especialmente manipulado. La versión 5.28.5 contiene un parche.
References	~~() https://github.com/HabitRPG/habitica/commit/946ade5da1f52a804ef2ba76d49416c43e8166bf -~~	() https://github.com/HabitRPG/habitica/commit/946ade5da1f52a804ef2ba76d49416c43e8166bf - Patch
References	~~() https://securitylab.github.com/advisories/GHSL-2024-109_GHSL-2024-111_habitica/ -~~	() https://securitylab.github.com/advisories/GHSL-2024-109_GHSL-2024-111_habitica/ - Third Party Advisory, Exploit

12 Dec 2024, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-12 02:15

Updated : 2025-09-05 21:38

NVD link : CVE-2024-53272

Mitre link : CVE-2024-53272

CVE.ORG link : CVE-2024-53272

JSON object : View

Products Affected

habitica

habitica

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10