CVE-2024-54996
Published: 10 January 2025
Summary
CVE-2024-54996 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Monicahq Monica. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 32.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates input validation at application entry points, directly preventing malicious payloads in title and description parameters from being accepted and processed for client-side injection.
SI-15 requires output filtering and encoding before rendering user-supplied data in the browser, blocking XSS execution from injected content in reminders.
SI-2 ensures timely remediation of identified flaws like CVE-2024-54996 through patching or code fixes in MonicaHQ, eliminating the vulnerability root cause.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated client-side injection in reminder title/description enables arbitrary JavaScript execution (T1059.007) in victims' browsers when viewing affected pages and facilitates stealing web session cookies (T1539).
NVD Description
MonicaHQ v4.1.2 was discovered to contain multiple authenticated Client-Side Injection vulnerabilities via the title and description parameters at /people/ID/reminders/create.
Deeper analysisAI
CVE-2024-54996 is a high-severity vulnerability (CVSS 3.1 score of 8.8) affecting MonicaHQ version 4.1.2, an open-source personal relationship management tool. The flaw involves multiple authenticated client-side injection vulnerabilities, mapped to CWE-79 (Cross-Site Scripting) and CWE-94 (Code Injection), exploitable through the title and description parameters in the endpoint /people/ID/reminders/create. These injections occur on the client side, potentially allowing malicious payloads to execute in the victim's browser context.
An attacker with low-privilege authenticated access (PR:L), such as a registered user, can exploit this by submitting crafted title or description inputs when creating reminders for a person profile. Successful exploitation enables high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), including theft of session data, manipulation of user data, or disruption of application functionality, all over the network (AV:N) with low complexity (AC:L) and no additional user interaction required (UI:N) beyond normal application use.
Advisories and related resources are available at the official MonicaHQ site (http://monicahq.com) and a GitHub repository containing proof-of-concept details (https://github.com/p314dO/CVEs/tree/main/CVE-2024-54996), published on 2025-01-10. Practitioners should review these for patch availability or workarounds in MonicaHQ updates.
Details
- CWE(s)