CVE-2021-27370

The Contact page in Monica 2.19.1 allows stored XSS via the Last Name field.

CVE-2020-35660

Cross Site Scripting (XSS) in Monica before 2.19.1 via the journal page.

CVE-2024-54998

MonicaHQ v4.1.2 was discovered to contain an authenticated Client-Side Injection vulnerability via the Reason parameter at /people/h:[id]/debts/create.

CVE-2023-30788

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the people/add endpoint and nickName, description, lastName, middleName and firstName parameter.

CVE-2023-30790

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the people:id/relationships endpoint and first_name and last_name parameter.

CVE-2024-54997

MonicaHQ v4.1.1 was discovered to contain an authenticated Client-Side Injection vulnerability via the entry text field at /journal/entries/ID/edit.

CVE-2023-30787

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the people:id/introductions endpoint and first_met_additional_info parameter.

CVE-2023-30789

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the people:id/work endpoint and job and company parameter.

CVE-2021-27371

The Contact page in Monica 2.19.1 allows stored XSS via the Description field.

CVE-2021-27559

The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field.

CVE-2023-50465

A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG document uploaded by an authenticated user.

CVE-2021-27368

The Contact page in Monica 2.19.1 allows stored XSS via the First Name field.

CVE-2021-27369

The Contact page in Monica 2.19.1 allows stored XSS via the Middle Name field.