Nicolas Gula

**Name of the Vulnerable Software and Affected Versions** MonicaHQ version 4.1.2 **Description** The issue is a Client-Side Injection vulnerability via the `last name` parameter in the General Information module. This vulnerability can be exploited. **Recommendations** For MonicaHQ version 4.1.2, as a temporary workaround, consider restricting the use of the `last name` parameter in the General Information module until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MonicaHQ version 4.1.2 **Description** The issue is related to multiple Client-Side Injection vulnerabilities found in MonicaHQ. These vulnerabilities occur via the `first name` and `last name` parameters in the Add a new relationship feature. **Recommendations** For MonicaHQ version 4.1.2, consider disabling the Add a new relationship feature until a patch is available to prevent exploitation of the `first name` and `last name` parameters. Restrict access to these parameters to minimize the risk of exploitation. Avoid using the `first name` and `last name` parameters in the affected feature until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MonicaHQ version 4.1.2 **Description** The issue concerns multiple authenticated Client-Side Injection vulnerabilities in MonicaHQ. These vulnerabilities occur through the `title` and `description` parameters at the "/people/ID/reminders/create" API endpoint. The exploitation of this issue can be done by authenticated users, which may limit the impact. **Recommendations** For MonicaHQ version 4.1.2, consider disabling the functionality that allows users to input data into the `title` and `description` parameters at the "/people/ID/reminders/create" API endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the `title` and `description` parameters in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MonicaHQ version 4.1.1 **Description** The issue is related to an authenticated Client-Side Injection vulnerability. This vulnerability can be triggered by an authenticated user through the entry text field at the "/journal/entries/ID/edit" API endpoint. The `entry text field` is the vulnerable parameter in this case. **Recommendations** For MonicaHQ version 4.1.1, consider disabling access to the "/journal/entries/ID/edit" API endpoint until a patch is available. As a temporary workaround, restrict the use of the entry text field to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MonicaHQ version 4.1.2 **Description** The issue is related to an authenticated Client-Side Injection vulnerability in MonicaHQ. This vulnerability can be exploited via the `Reason` parameter at the "/people/h:[id]/debts/create" API endpoint. **Recommendations** For MonicaHQ version 4.1.2, consider disabling the `Reason` parameter in the "/people/h:[id]/debts/create" API endpoint as a temporary workaround until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.