Primary

Context

MonicaHQ Client-Side Template Injection Vulnerability Leading to Stored Cross-Site Scripting

Vulnerability

A Client-Side Template Injection vulnerability has been identified in MonicaHQ version 4.1.2. This vulnerability allows authenticated attackers to inject malicious code into the title and description fields of the reminders creation form. The issue is located in the '/people/ID/reminders/create' endpoint.

Impact

Exploitation of this vulnerability allows for Client-Side Template Injection, which can lead to Stored Cross-Site Scripting. This means that the injected script will be executed in the context of the user when they access the affected reminder.

Reproduction

To reproduce this vulnerability, an authenticated user can navigate to the '/people/ID/reminders/create' page. Once there, inject a payload into the title and description fields. The payload can be a script, such as one that triggers an alert, which demonstrates the execution of the injected code.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

1.7

exploitability

6.3

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

1.7

exploitability

6.3

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MonicaHQ Client-Side Template Injection Vulnerability Leading to Stored Cross-Site Scripting

Vulnerability

Impact

Reproduction

Affected Products

MonicaHQ

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating