Lautaro Casanova

**Name of the Vulnerable Software and Affected Versions** Plane version 0.7.1 **Description** The issue allows an unauthenticated attacker to view all stored server files of all users. **Recommendations** For Plane version 0.7.1, update to a version that contains a fix for this issue, as the current version allows unauthorized access to sensitive data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plane version 0.7.1-dev **Description** The issue allows an attacker to change the avatar of their profile, enabling the upload of files with HTML extension that can interpret both HTML and JavaScript. **Recommendations** For Plane version 0.7.1-dev, consider disabling the avatar upload feature until a patch is available to prevent exploitation. Restrict access to profile modification to minimize the risk of malicious file uploads. Avoid using the feature that allows HTML file uploads in the affected version until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MonicaHQ version 4.0.0 **Description** The issue allows an authenticated remote attacker to execute malicious code in the application via CSTI in the "people:id/introductions" endpoint and `first met additional info` parameter. **Recommendations** For MonicaHQ version 4.0.0, consider disabling access to the "people:id/introductions" endpoint until a patch is available. As a temporary workaround, restrict the use of the `first met additional info` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MonicaHQ version 4.0.0 **Description** The issue allows an authenticated remote attacker to execute malicious code in the application via CSTI in the "settings" endpoint and `first name` parameter. **Recommendations** For MonicaHQ version 4.0.0, consider disabling access to the "settings" endpoint or restricting the use of the `first name` parameter until a patch is available. Additionally, monitor user activity and authentication processes to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MonicaHQ version 4.0.0 **Description** The issue allows an authenticated remote attacker to execute malicious code in the application via CSTI in the "people:id/work" endpoint, specifically using the `job` and `company` parameters. **Recommendations** For MonicaHQ version 4.0.0, consider disabling access to the "people:id/work" endpoint until a patch is available. As a temporary workaround, restrict the use of the `job` and `company` parameters in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MonicaHQ version 4.0.0 **Description** The issue allows an authenticated remote attacker to execute malicious code in the application via CSTI in the "people:id/relationships" endpoint, specifically using the `first name` and `last name` parameters. **Recommendations** For MonicaHQ version 4.0.0, consider disabling access to the "people:id/relationships" endpoint until a patch is available. As a temporary workaround, restrict the use of the `first name` and `last name` parameters in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MonicaHQ version 4.0.0 **Description** The issue allows an authenticated remote attacker to execute malicious code in the application. This is achieved via CSTI in the "people/add" endpoint, utilizing parameters such as `nickName`, `description`, `lastName`, `middleName`, and `firstName`. **Recommendations** For MonicaHQ version 4.0.0, consider disabling access to the "people/add" endpoint until a patch is available, or restrict the use of the `nickName`, `description`, `lastName`, `middleName`, and `firstName` parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MonicaHQ version 4.0.0 **Description** The issue allows an authenticated remote attacker to execute malicious code in the application via CSTI in the "people:id/food" endpoint and `food` parameter. **Recommendations** For MonicaHQ version 4.0.0, as a temporary workaround, consider disabling access to the "people:id/food" endpoint until a patch is available. Restrict the use of the `food` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.