CVE-2024-54996
Published: 10 January 2025
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2024-54996 is a high-severity vulnerability (CVSS 3.1 score of 8.8) affecting MonicaHQ version 4.1.2, an open-source personal relationship management tool. The flaw involves multiple authenticated client-side injection vulnerabilities, mapped to CWE-79 (Cross-Site Scripting) and CWE-94 (Code Injection), exploitable through the title and description parameters in the endpoint /people/ID/reminders/create. These injections occur on the client side, potentially allowing malicious payloads to execute in the victim's browser context.
An attacker with low-privilege authenticated access (PR:L), such as a registered user, can exploit this by submitting crafted title or description inputs when creating reminders for a person profile. Successful exploitation enables high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), including theft of session data, manipulation of user data, or disruption of application functionality, all over the network (AV:N) with low complexity (AC:L) and no additional user interaction required (UI:N) beyond normal application use.
Advisories and related resources are available at the official MonicaHQ site (http://monicahq.com) and a GitHub repository containing proof-of-concept details (https://github.com/p314dO/CVEs/tree/main/CVE-2024-54996), published on 2025-01-10. Practitioners should review these for patch availability or workarounds in MonicaHQ updates.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Authenticated client-side injection in reminder title/description enables arbitrary JavaScript execution (T1059.007) in victims' browsers when viewing affected pages and facilitates stealing web session cookies (T1539).