CVE-2024-54996

Name of the Vulnerable Software and Affected Versions MonicaHQ version 4.1.2

Description The issue concerns multiple authenticated Client-Side Injection vulnerabilities in MonicaHQ. These vulnerabilities occur through the title and description parameters at the "/people/ID/reminders/create" API endpoint. The exploitation of this issue can be done by authenticated users, which may limit the impact.

Recommendations For MonicaHQ version 4.1.2, consider disabling the functionality that allows users to input data into the title and description parameters at the "/people/ID/reminders/create" API endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the title and description parameters in the affected API endpoint until the issue is resolved.