icon

We found results for “

CVE-2022-23077

Date: June 22, 2022

Overview

In habitica versions v4.119.0 through v4.232.2 are vulnerable to DOM XSS via the login page.

Details

In habitica versions v4.119.0 through v4.232.2 are vulnerable to DOM XSS via the login page.
After successful login of a user, the XSS payload will get executed.

PoC Details

Access the login page URL (generally: http://localhost:8080/login?redirectTo=javascript%3Aalert%28document.cookie%29)
and login as a valid user.
After successful login, the XSS will be triggered.

PoC Code

?redirectTo=javascript:alert(document.cookie)

Affected Environments

habitica versions v4.119.0-v4.232.2

Prevention

Upgrade to habitica version v4.233.0

Language: JS

Good to know:

icon
icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

Upgrade to version v4.233.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None