Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-23077

Date: June 22, 2022

Overview

In habitica versions v4.119.0 through v4.232.2 are vulnerable to DOM XSS via the login page.

Details

In habitica versions v4.119.0 through v4.232.2 are vulnerable to DOM XSS via the login page.
After successful login of a user, the XSS payload will get executed.

PoC Details

Access the login page URL (generally: http://localhost:8080/login?redirectTo=javascript%3Aalert%28document.cookie%29)
and login as a valid user.
After successful login, the XSS will be triggered.

PoC Code

?redirectTo=javascript:alert(document.cookie)

Affected Environments

habitica versions v4.119.0-v4.232.2

Prevention

Upgrade to habitica version v4.233.0

Language: JS

Good to know:

icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

Upgrade to version v4.233.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information:

Related Resources (4)

https://www.mend.io/vulnerability-database/CVE-2022-23077
https://github.com/HabitRPG/habitica/commit/5bcfdbe066e8c899f3ecf3fdcdbacc2ecba7f02f
https://nvd.nist.gov/vuln/detail/CVE-2022-23077
https://www.mend.io/vulnerability-database/CVE-2022-23077