Monicahq ≫ Monica

A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and default is "fal...

Monica 4.1.2 is vulnerable to Cross Site Scripting (XSS). A malicious user can create a malformed contact and use that contact in the "HOW YOU MET" customization options to trigger the XSS.

MonicaHQ v4.1.2 was discovered to contain a Client-Side Injection vulnerability via the last_name parameter the General Information module.

MonicaHQ v4.1.2 was discovered to contain an authenticated Client-Side Injection vulnerability via the Reason parameter at /people/h:[id]/debts/create.

MonicaHQ v4.1.1 was discovered to contain an authenticated Client-Side Injection vulnerability via the entry text field at /journal/entries/ID/edit.

MonicaHQ v4.1.2 was discovered to contain multiple authenticated Client-Side Injection vulnerabilities via the title and description parameters at /people/ID/reminders/create.

MonicaHQ v4.1.2 was discovered to contain multiple Client-Side Injection vulnerabilities via the first_name and last_name parameters in the Add a new relationship feature.

A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG document uploaded by an authenticated user.

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/work` endpoint and job and company parameter.

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/relationships` endpoint and first_name and last_name parameter.