CVE-2024-54951 – Monica 4.1.2 contains a stored cross-site scrip... (How to Fix)

Q: What is the severity of CVE-2024-54951?

CVE-2024-54951 has a CVSS score of 5.4 (MEDIUM). Monica 4.1.2 contains a stored cross-site scripting (XSS) vulnerability in the 'HOW YOU MET' contact customization feature. An authenticated attacker can create malicious contacts that execute JavaScript in victims' browsers when viewing those contacts. This affects all Monica 4.1.2 installations with default configurations.

📋 TL;DR

Monica 4.1.2 contains a stored cross-site scripting (XSS) vulnerability in the 'HOW YOU MET' contact customization feature. An authenticated attacker can create malicious contacts that execute JavaScript in victims' browsers when viewing those contacts. This affects all Monica 4.1.2 installations with default configurations.

💻 Affected Systems

Products:

Monica

Versions: 4.1.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to create contacts. All deployments using vulnerable version are affected regardless of OS.

📦 What is this software?

Monica by Monicahq

View all CVEs affecting Monica →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deploy malware through browser exploitation.

🟠

Likely Case

Attackers with user accounts could steal other users' session tokens, perform unauthorized actions, or deface contact information.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated user account. Public proof-of-concept available on GitHub shows exact payload structure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.3 or later

Vendor Advisory: https://github.com/monicahq/monica/releases

Restart Required: Yes

Instructions:

1. Backup your Monica database. 2. Update Monica to version 4.1.3 or newer via git pull or package manager. 3. Run database migrations if required. 4. Restart the web server and queue workers.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize contact field inputs before storage

Implement input sanitization in contact creation/update endpoints

Output Encoding

all

Apply proper HTML encoding when displaying contact customization fields

Ensure all contact field outputs use htmlspecialchars() or equivalent encoding

🧯 If You Can't Patch

Disable contact creation for non-admin users
Implement web application firewall (WAF) rules to block XSS payloads in contact fields

🔍 How to Verify

Check if Vulnerable:

Check if Monica version is exactly 4.1.2. Attempt to create contact with <script>alert('XSS')</script> in 'HOW YOU MET' field and see if script executes when viewing.

Check Version:

Check .env file for APP_VERSION or view footer in Monica web interface

Verify Fix Applied:

After updating to 4.1.3+, attempt same XSS payload - it should display as plain text rather than executing.

📡 Detection & Monitoring

Log Indicators:

Unusual contact creation patterns
JavaScript payloads in contact field POST requests

Network Indicators:

POST requests to contact endpoints containing script tags or JavaScript

SIEM Query:

web_requests WHERE url_path CONTAINS '/contacts' AND request_body CONTAINS '<script>'

📊 Metadata

CVE ID: CVE-2024-54951

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.23% exploit probability (46th percentile)

Published: February 13, 2025

Last Updated: August 14, 2025

🔗 References

https://github.com/Allevon412/Monica-Stored-XSS-Vulnerability Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-54951, you might also want to check these: