Monica
by Monica
CVEs (21)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-54996 | Hig | 0.57 | 8.8 | 0.01 | Jan 10, 2025 | MonicaHQ v4.1.2 was discovered to contain multiple authenticated Client-Side Injection vulnerabilities via the title and description parameters at /people/ID/reminders/create. | ||
| CVE-2023-1094 | Hig | 0.57 | 8.8 | 0.01 | May 8, 2023 | MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/food` endpoint and food parameter. | ||
| CVE-2023-1031 | Hig | 0.57 | 8.8 | 0.01 | May 8, 2023 | MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `settings` endpoint and first_name parameter. | ||
| CVE-2024-48142 | Hig | 0.49 | 7.5 | 0.00 | Oct 24, 2024 | A prompt injection vulnerability in the chatbox of Butterfly Effect Limited Monica ChatGPT AI Assistant v2.4.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message. | ||
| CVE-2024-54999 | Med | 0.42 | 6.5 | 0.00 | Jan 13, 2025 | MonicaHQ v4.1.2 was discovered to contain a Client-Side Injection vulnerability via the last_name parameter the General Information module. | ||
| CVE-2024-54994 | Med | 0.42 | 6.5 | 0.00 | Jan 10, 2025 | MonicaHQ v4.1.2 was discovered to contain multiple Client-Side Injection vulnerabilities via the first_name and last_name parameters in the Add a new relationship feature. | ||
| CVE-2024-54951 | Med | 0.35 | 5.4 | 0.00 | Feb 13, 2025 | Monica 4.1.2 is vulnerable to Cross Site Scripting (XSS). A malicious user can create a malformed contact and use that contact in the "HOW YOU MET" customization options to trigger the XSS. | ||
| CVE-2024-54998 | Med | 0.35 | 5.4 | 0.00 | Jan 10, 2025 | MonicaHQ v4.1.2 was discovered to contain an authenticated Client-Side Injection vulnerability via the Reason parameter at /people/h:[id]/debts/create. | ||
| CVE-2024-54997 | Med | 0.35 | 5.4 | 0.00 | Jan 10, 2025 | MonicaHQ v4.1.1 was discovered to contain an authenticated Client-Side Injection vulnerability via the entry text field at /journal/entries/ID/edit. | ||
| CVE-2023-50465 | Med | 0.35 | 5.4 | 0.01 | Dec 11, 2023 | A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG document uploaded by an authenticated user. | ||
| CVE-2023-30790 | Med | 0.35 | 5.4 | 0.01 | May 8, 2023 | MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/relationships` endpoint and first_name and last_name parameter. | ||
| CVE-2023-30789 | Med | 0.35 | 5.4 | 0.01 | May 8, 2023 | MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/work` endpoint and job and company parameter. | ||
| CVE-2023-30788 | Med | 0.35 | 5.4 | 0.01 | May 8, 2023 | MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people/add` endpoint and nickName, description, lastName, middleName and firstName parameter. | ||
| CVE-2023-30787 | Med | 0.35 | 5.4 | 0.01 | May 8, 2023 | MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/introductions` endpoint and first_met_additional_info parameter. | ||
| CVE-2021-27370 | Med | 0.03 | 5.4 | 0.03 | Feb 22, 2021 | The Contact page in Monica 2.19.1 allows stored XSS via the Last Name field. | ||
| CVE-2026-26747 | 0.00 | — | 0.00 | Feb 20, 2026 | A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and default is "false". The application… | |||
| CVE-2020-35660 | Med | 0.00 | 5.4 | 0.01 | Apr 14, 2021 | Cross Site Scripting (XSS) in Monica before 2.19.1 via the journal page. | ||
| CVE-2021-27559 | Med | 0.00 | 5.4 | 0.01 | Feb 22, 2021 | The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field. | ||
| CVE-2021-27371 | Med | 0.00 | 5.4 | 0.01 | Feb 22, 2021 | The Contact page in Monica 2.19.1 allows stored XSS via the Description field. | ||
| CVE-2021-27369 | Med | 0.00 | 5.4 | 0.01 | Feb 22, 2021 | The Contact page in Monica 2.19.1 allows stored XSS via the Middle Name field. |
- risk 0.57cvss 8.8epss 0.01
MonicaHQ v4.1.2 was discovered to contain multiple authenticated Client-Side Injection vulnerabilities via the title and description parameters at /people/ID/reminders/create.
- risk 0.57cvss 8.8epss 0.01
MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/food` endpoint and food parameter.
- risk 0.57cvss 8.8epss 0.01
MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `settings` endpoint and first_name parameter.
- risk 0.49cvss 7.5epss 0.00
A prompt injection vulnerability in the chatbox of Butterfly Effect Limited Monica ChatGPT AI Assistant v2.4.0 allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message.
- risk 0.42cvss 6.5epss 0.00
MonicaHQ v4.1.2 was discovered to contain a Client-Side Injection vulnerability via the last_name parameter the General Information module.
- risk 0.42cvss 6.5epss 0.00
MonicaHQ v4.1.2 was discovered to contain multiple Client-Side Injection vulnerabilities via the first_name and last_name parameters in the Add a new relationship feature.
- risk 0.35cvss 5.4epss 0.00
Monica 4.1.2 is vulnerable to Cross Site Scripting (XSS). A malicious user can create a malformed contact and use that contact in the "HOW YOU MET" customization options to trigger the XSS.
- risk 0.35cvss 5.4epss 0.00
MonicaHQ v4.1.2 was discovered to contain an authenticated Client-Side Injection vulnerability via the Reason parameter at /people/h:[id]/debts/create.
- risk 0.35cvss 5.4epss 0.00
MonicaHQ v4.1.1 was discovered to contain an authenticated Client-Side Injection vulnerability via the entry text field at /journal/entries/ID/edit.
- risk 0.35cvss 5.4epss 0.01
A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG document uploaded by an authenticated user.
- risk 0.35cvss 5.4epss 0.01
MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/relationships` endpoint and first_name and last_name parameter.
- risk 0.35cvss 5.4epss 0.01
MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/work` endpoint and job and company parameter.
- risk 0.35cvss 5.4epss 0.01
MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people/add` endpoint and nickName, description, lastName, middleName and firstName parameter.
- risk 0.35cvss 5.4epss 0.01
MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/introductions` endpoint and first_met_additional_info parameter.
- risk 0.03cvss 5.4epss 0.03
The Contact page in Monica 2.19.1 allows stored XSS via the Last Name field.
- CVE-2026-26747Feb 20, 2026risk 0.00cvss —epss 0.00
A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and default is "false". The application…
- risk 0.00cvss 5.4epss 0.01
Cross Site Scripting (XSS) in Monica before 2.19.1 via the journal page.
- risk 0.00cvss 5.4epss 0.01
The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field.
- risk 0.00cvss 5.4epss 0.01
The Contact page in Monica 2.19.1 allows stored XSS via the Description field.
- risk 0.00cvss 5.4epss 0.01
The Contact page in Monica 2.19.1 allows stored XSS via the Middle Name field.
Page 1 of 2