Skip to main content

Monica CVE-2023-1031

HIGH
Cross-site Scripting (XSS) (CWE-79)
2023-05-08 help@fluidattacks.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
May 08, 2023 - 20:15 nvd
HIGH 8.8

DescriptionNVD

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the settings endpoint and first_name parameter.

AnalysisAI

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the settings endpoint and first_name parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the settings endpoint and first_name parameter. Affected products include: Monicahq Monica. Version information: version 4.0.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Monica

View all
CVE-2026-26747 CRITICAL POC
9.1 Feb 20

Host Header Poisoning in Monica 4.1.2 CRM. PoC available.

CVE-2024-54996 HIGH POC
8.8 Jan 10

MonicaHQ v4.1.2 was discovered to contain multiple authenticated Client-Side Injection vulnerabilities via the title and

CVE-2023-1094 HIGH POC
8.8 May 08

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in

CVE-2024-54994 MEDIUM POC
6.5 Jan 10

MonicaHQ v4.1.2 was discovered to contain multiple Client-Side Injection vulnerabilities via the first_name and last_nam

CVE-2024-54999 MEDIUM POC
6.5 Jan 13

MonicaHQ v4.1.2 was discovered to contain a Client-Side Injection vulnerability via the last_name parameter the General

CVE-2024-54951 MEDIUM POC
5.4 Feb 13

Monica 4.1.2 is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remote

CVE-2024-54997 MEDIUM POC
5.4 Jan 10

MonicaHQ v4.1.1 was discovered to contain an authenticated Client-Side Injection vulnerability via the entry text field

CVE-2024-54998 MEDIUM POC
5.4 Jan 10

MonicaHQ v4.1.2 was discovered to contain an authenticated Client-Side Injection vulnerability via the Reason parameter

CVE-2023-50465 MEDIUM POC
5.4 Dec 11

A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG document uploaded by

CVE-2023-30790 MEDIUM POC
5.4 May 08

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in

CVE-2023-30789 MEDIUM POC
5.4 May 08

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in

CVE-2023-30788 MEDIUM POC
5.4 May 08

MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in

Share

CVE-2023-1031 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy