Monica Security Vulnerabilities

CVE-2020-35660

Cross Site Scripting (XSS) in Monica before 2.19.1 via the journal page.

CVE-2021-27368

The Contact page in Monica 2.19.1 allows stored XSS via the First Name field.

CVE-2021-27369

The Contact page in Monica 2.19.1 allows stored XSS via the Middle Name field.

CVE-2021-27370

The Contact page in Monica 2.19.1 allows stored XSS via the Last Name field.

CVE-2021-27371

The Contact page in Monica 2.19.1 allows stored XSS via the Description field.

CVE-2021-27559

The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field.

CVE-2023-1031

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the settings endpoint and first_name parameter.

CVE-2023-1094

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the people:id/food endpoint and food parameter.

CVE-2023-30787

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the people:id/introductions endpoint and first_met_additional_info parameter.

CVE-2023-30788

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the people/add endpoint and nickName, description, lastName, middleName and firstName parameter.

CVE-2023-30789

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the people:id/work endpoint and job and company parameter.

CVE-2023-30790

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the people:id/relationships endpoint and first_name and last_name parameter.

CVE-2023-50465

A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG document uploaded by an authenticated user.