Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-23078

Date: June 22, 2022

Overview

In habitica versions v4.119.0 through v4.232.2 are vulnerable to open redirect via the login page.

Details

In habitica versions v4.119.0 through v4.232.2 are vulnerable to open redirect via the login page. After successful login of a user, he will be redirected to an arbitrary page.

PoC Details

Access the login page URL(generally: http://localhost:8080/login?redirectTo=http%3A%2F%2Fevil.com) and login as a valid user. After successful login, a redirect will be made to a malicious website.

PoC Code

?redirectTo=http://evil.com

Affected Environments

habitica versions v4.119.0-v4.232.2

Prevention

Upgrade to habitica version v4.233.0

Language: JS

Good to know:

icon

URL Redirection to Untrusted Site ('Open Redirect')

CWE-601
icon

Upgrade Version

Upgrade to version v4.233.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): None
Additional information:

Related Resources (4)

https://github.com/HabitRPG/habitica/commit/5bcfdbe066e8c899f3ecf3fdcdbacc2ecba7f02f
https://www.mend.io/vulnerability-database/CVE-2022-23078
https://nvd.nist.gov/vuln/detail/CVE-2022-23078
https://www.mend.io/vulnerability-database/CVE-2022-23078