CVE-2024-54996 – MonicaHQ v4.1.2 contains authenticated client-s... (How to Fix)

Q: What is the severity of CVE-2024-54996?

CVE-2024-54996 has a CVSS score of 8.8 (HIGH). MonicaHQ v4.1.2 contains authenticated client-side injection vulnerabilities in the title and description parameters of the reminders creation feature. This allows authenticated attackers to inject malicious scripts that execute in victims' browsers when viewing affected pages. All users running MonicaHQ v4.1.2 are affected.

📋 TL;DR

MonicaHQ v4.1.2 contains authenticated client-side injection vulnerabilities in the title and description parameters of the reminders creation feature. This allows authenticated attackers to inject malicious scripts that execute in victims' browsers when viewing affected pages. All users running MonicaHQ v4.1.2 are affected.

💻 Affected Systems

Products:

MonicaHQ

Versions: v4.1.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects authenticated users who can access the reminders creation feature.

📦 What is this software?

Monica by Monicahq

View all CVEs affecting Monica →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated attackers could steal session cookies, perform account takeover, redirect users to malicious sites, or perform actions on behalf of victims.

🟠

Likely Case

Attackers with valid credentials could perform cross-site scripting attacks against other users, potentially stealing sensitive data or performing unauthorized actions.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before reaching victims' browsers.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access to the application and knowledge of the vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.1.3 or later

Vendor Advisory: https://github.com/monicahq/monica/releases

Restart Required: No

Instructions:

1. Backup your MonicaHQ installation and database. 2. Update to MonicaHQ v4.1.3 or later via git pull or package update. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize title and description parameters

Implement input sanitization in /people/ID/reminders/create endpoint

🧯 If You Can't Patch

Restrict access to the reminders creation feature to trusted users only
Implement a web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running MonicaHQ v4.1.2 by examining version files or admin panel

Check Version:

Check .env file or admin dashboard for version information

Verify Fix Applied:

Verify installation is running v4.1.3 or later and test the reminders creation feature with test payloads

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /people/*/reminders/create with script tags or JavaScript payloads

Network Indicators:

HTTP requests containing script injections in title or description parameters

SIEM Query:

source="monica_logs" AND (uri="/people/*/reminders/create" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2024-54996

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-79

EPSS Score: 0.16% exploit probability (36.3th percentile)

Published: January 10, 2025

Last Updated: May 7, 2025

🔗 References

http://monicahq.com Product
https://github.com/p314dO/CVEs/tree/main/CVE-2024-54996 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-54996, you might also want to check these: