MonicaHQ Client-Side Injection Vulnerability Leading to Stored Cross-Site Scripting

A client-side injection vulnerability has been identified in MonicaHQ version 4.1.2. This issue allows authenticated attackers to inject malicious code into the 'last_name' parameter of the General Information module, located within the settings section. The vulnerability arises from improper handling of user input, which can be exploited to execute scripts that are stored and potentially executed in the context of the user.

Impact

Exploitation of this vulnerability results in client-side template injection, which can lead to stored cross-site scripting. This means that injected scripts are executed in the context of the user, potentially allowing for the theft of cookies, session tokens, or other sensitive information.

Reproduction

To reproduce this vulnerability, log into MonicaHQ version 4.1.2 and navigate to the General Information module under the settings section. Inject a payload into the 'last_name' field that exploits the client-side template injection, such as one that uses the 'toString().constructor.constructor' method to execute JavaScript code, like an alert.