cbcvebase.

Monicahq Monica vulnerabilities

20 known vulnerabilities affecting monicahq/monica.

Total CVEs
20
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3MEDIUM16

Vulnerabilities

Page 1 of 1
CVE-2026-26747P3CRITICALCVSS 9.1v4.1.22026-02-20
CVE-2026-26747 [CRITICAL] CWE-644 CVE-2026-26747: A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Ho A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and default is "false". The application generates absolute URLs (such as those used in password reset emails) using th
nvd
CVE-2021-27370P4MEDIUMCVSS 5.4PoCv2.19.12021-02-22
CVE-2021-27370 [MEDIUM] CWE-79 CVE-2021-27370: The Contact page in Monica 2.19.1 allows stored XSS via the Last Name field. The Contact page in Monica 2.19.1 allows stored XSS via the Last Name field.
nvd
CVE-2023-1031P3HIGHCVSS 8.8v4.0.02023-05-08
CVE-2023-1031 [HIGH] CWE-79 CVE-2023-1031: MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the appl MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `settings` endpoint and first_name parameter.
nvd
CVE-2023-1094P3HIGHCVSS 8.8v4.0.02023-05-08
CVE-2023-1094 [HIGH] CWE-79 CVE-2023-1094: MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the appl MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/food` endpoint and food parameter.
nvd
CVE-2024-54996P3HIGHCVSS 8.8v4.1.22025-01-10
CVE-2024-54996 [HIGH] CWE-79 CVE-2024-54996: MonicaHQ v4.1.2 was discovered to contain multiple authenticated Client-Side Injection vulnerabiliti MonicaHQ v4.1.2 was discovered to contain multiple authenticated Client-Side Injection vulnerabilities via the title and description parameters at /people/ID/reminders/create.
nvd
CVE-2024-54999P3MEDIUMCVSS 6.5v4.1.22025-01-13
CVE-2024-54999 [MEDIUM] CWE-94 CVE-2024-54999: MonicaHQ v4.1.2 was discovered to contain a Client-Side Injection vulnerability via the last_name pa MonicaHQ v4.1.2 was discovered to contain a Client-Side Injection vulnerability via the last_name parameter the General Information module.
nvd
CVE-2024-54994P3MEDIUMCVSS 6.5v4.1.22025-01-10
CVE-2024-54994 [MEDIUM] CWE-79 CVE-2024-54994: MonicaHQ v4.1.2 was discovered to contain multiple Client-Side Injection vulnerabilities via the fir MonicaHQ v4.1.2 was discovered to contain multiple Client-Side Injection vulnerabilities via the first_name and last_name parameters in the Add a new relationship feature.
nvd
CVE-2024-54998P4MEDIUMCVSS 5.4v4.1.22025-01-10
CVE-2024-54998 [MEDIUM] CWE-79 CVE-2024-54998: MonicaHQ v4.1.2 was discovered to contain an authenticated Client-Side Injection vulnerability via t MonicaHQ v4.1.2 was discovered to contain an authenticated Client-Side Injection vulnerability via the Reason parameter at /people/h:[id]/debts/create.
nvd
CVE-2023-30788P4MEDIUMCVSS 5.4v4.0.02023-05-08
CVE-2023-30788 [MEDIUM] CWE-79 CVE-2023-30788: MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the appl MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people/add` endpoint and nickName, description, lastName, middleName and firstName parameter.
nvd
CVE-2023-30789P4MEDIUMCVSS 5.4v4.0.02023-05-08
CVE-2023-30789 [MEDIUM] CWE-79 CVE-2023-30789: MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the appl MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/work` endpoint and job and company parameter.
nvd
CVE-2023-30787P4MEDIUMCVSS 5.4v4.0.02023-05-08
CVE-2023-30787 [MEDIUM] CWE-79 CVE-2023-30787: MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the appl MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/introductions` endpoint and first_met_additional_info parameter.
nvd
CVE-2023-30790P4MEDIUMCVSS 5.4v4.0.02023-05-08
CVE-2023-30790 [MEDIUM] CWE-79 CVE-2023-30790: MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the appl MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/relationships` endpoint and first_name and last_name parameter.
nvd
CVE-2024-54997P4MEDIUMCVSS 5.4v4.1.12025-01-10
CVE-2024-54997 [MEDIUM] CWE-94 CVE-2024-54997: MonicaHQ v4.1.1 was discovered to contain an authenticated Client-Side Injection vulnerability via t MonicaHQ v4.1.1 was discovered to contain an authenticated Client-Side Injection vulnerability via the entry text field at /journal/entries/ID/edit.
nvd
CVE-2021-27371P4MEDIUMCVSS 5.4v2.19.12021-02-22
CVE-2021-27371 [MEDIUM] CWE-79 CVE-2021-27371: The Contact page in Monica 2.19.1 allows stored XSS via the Description field. The Contact page in Monica 2.19.1 allows stored XSS via the Description field.
nvd
CVE-2021-27369P4MEDIUMCVSS 5.4v2.19.12021-02-22
CVE-2021-27369 [MEDIUM] CWE-79 CVE-2021-27369: The Contact page in Monica 2.19.1 allows stored XSS via the Middle Name field. The Contact page in Monica 2.19.1 allows stored XSS via the Middle Name field.
nvd
CVE-2024-54951P4MEDIUMCVSS 5.4v4.1.22025-02-13
CVE-2024-54951 [MEDIUM] CWE-79 CVE-2024-54951: Monica 4.1.2 is vulnerable to Cross Site Scripting (XSS). A malicious user can create a malformed co Monica 4.1.2 is vulnerable to Cross Site Scripting (XSS). A malicious user can create a malformed contact and use that contact in the "HOW YOU MET" customization options to trigger the XSS.
nvd
CVE-2021-27559P4MEDIUMCVSS 5.4v2.19.12021-02-22
CVE-2021-27559 [MEDIUM] CWE-79 CVE-2021-27559: The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field. The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field.
nvd
CVE-2021-27368P4MEDIUMCVSS 5.4v2.19.12021-02-22
CVE-2021-27368 [MEDIUM] CWE-79 CVE-2021-27368: The Contact page in Monica 2.19.1 allows stored XSS via the First Name field. The Contact page in Monica 2.19.1 allows stored XSS via the First Name field.
nvd
CVE-2023-50465P4MEDIUMCVSS 5.4v0.4.02023-12-11
CVE-2023-50465 [MEDIUM] CWE-79 CVE-2023-50465: A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG d A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG document uploaded by an authenticated user.
nvd
CVE-2020-35660P4MEDIUMCVSS 5.4fixed in 2.19.12021-04-14
CVE-2020-35660 [MEDIUM] CWE-79 CVE-2020-35660: Cross Site Scripting (XSS) in Monica before 2.19.1 via the journal page. Cross Site Scripting (XSS) in Monica before 2.19.1 via the journal page.
nvd
Monicahq Monica vulnerabilities | cvebase