Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The `login` and `social media` function in `RegisterLoginReset.vue` contains two reflected XSS vulnerabilities due to an incorrect sanitization function. An attacker can specify a malicious `redirectTo` parameter to trigger the vulnerability, giving the attacker control of the victim’s account when a victim registers or logins with a specially crafted link. Version 5.28.5 contains a patch.
History

Fri, 05 Sep 2025 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:habitica:habitica:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}


Thu, 12 Dec 2024 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 11 Dec 2024 22:30:00 +0000

Type Values Removed Values Added
Description Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The `login` and `social media` function in `RegisterLoginReset.vue` contains two reflected XSS vulnerabilities due to an incorrect sanitization function. An attacker can specify a malicious `redirectTo` parameter to trigger the vulnerability, giving the attacker control of the victim’s account when a victim registers or logins with a specially crafted link. Version 5.28.5 contains a patch.
Title GHSL-2024-109: Reflected XSS in /login in habitica
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2024-12-12T16:00:45.275Z

Reserved: 2024-11-19T20:08:14.482Z

Link: CVE-2024-53272

cve-icon Vulnrichment

Updated: 2024-12-12T15:56:21.494Z

cve-icon NVD

Status : Analyzed

Published: 2024-12-12T02:15:28.670

Modified: 2025-09-05T21:38:03.967

Link: CVE-2024-53272

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-12T16:01:36Z