CVE-2024-54998

Name of the Vulnerable Software and Affected Versions MonicaHQ version 4.1.2

Description The issue is related to an authenticated Client-Side Injection vulnerability in MonicaHQ. This vulnerability can be exploited via the Reason parameter at the "/people/h:[id]/debts/create" API endpoint.

Recommendations For MonicaHQ version 4.1.2, consider disabling the Reason parameter in the "/people/h:[id]/debts/create" API endpoint as a temporary workaround until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.