Skip to main content

Monica CVE-2021-27559

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2021-02-22 cve@mitre.org
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 22, 2021 - 15:15 nvd
MEDIUM 5.4

DescriptionNVD

The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field.

AnalysisAI

The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The Contact page in Monica 2.19.1 allows stored XSS via the Nickname field. Affected products include: Monicahq Monica.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Monica

View all
CVE-2026-26747 CRITICAL POC
9.1 Feb 20

Host Header Poisoning in Monica 4.1.2 CRM. PoC available.

CVE-2024-54996 HIGH POC
8.8 Jan 10

MonicaHQ v4.1.2 was discovered to contain multiple authenticated Client-Side Injection vulnerabilities via the title and

CVE-2023-1094 HIGH POC
8.8 May 08

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in

CVE-2023-1031 HIGH POC
8.8 May 08

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in

CVE-2024-54994 MEDIUM POC
6.5 Jan 10

MonicaHQ v4.1.2 was discovered to contain multiple Client-Side Injection vulnerabilities via the first_name and last_nam

CVE-2024-54999 MEDIUM POC
6.5 Jan 13

MonicaHQ v4.1.2 was discovered to contain a Client-Side Injection vulnerability via the last_name parameter the General

CVE-2024-54951 MEDIUM POC
5.4 Feb 13

Monica 4.1.2 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remote

CVE-2024-54997 MEDIUM POC
5.4 Jan 10

MonicaHQ v4.1.1 was discovered to contain an authenticated Client-Side Injection vulnerability via the entry text field

CVE-2024-54998 MEDIUM POC
5.4 Jan 10

MonicaHQ v4.1.2 was discovered to contain an authenticated Client-Side Injection vulnerability via the Reason parameter

CVE-2023-50465 MEDIUM POC
5.4 Dec 11

A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG document uploaded by

CVE-2023-30790 MEDIUM POC
5.4 May 08

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in

CVE-2023-30789 MEDIUM POC
5.4 May 08

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in

Share

CVE-2021-27559 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy