CVE-2021-27370

MEDIUM

Monica 2.19.1 - Stored Cross-Site Scripting via Last Name Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-27370. PoCs published by BouSalman.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Monica 2.19.1 by injecting a malicious payload into the 'last_name' field, which executes JavaScript when rendered. The payload uses constructor.constructor to bypass input validation and trigger an alert with the document.cookie.

Description

The Contact page in Monica 2.19.1 allows stored XSS via the Last Name field.

Exploits (1)

exploitdb WORKING POC
by BouSalman · textwebappsmultiple
https://www.exploit-db.com/exploits/49582

This exploit demonstrates a stored XSS vulnerability in Monica 2.19.1 by injecting a malicious payload into the 'last_name' field, which executes JavaScript when rendered. The payload uses constructor.constructor to bypass input validation and trigger an alert with the document.cookie.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Monica 2.19.1
Auth required
Prerequisites: Valid session cookies · Access to the /people endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/monicahq/monica/issues/4888
Exploit, Third Party Advisory x_refsource_misc
https://github.com/monicahq/monica/pull/4543
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/161501/Monica-2.19.1-Cross-Site-Scripting.html
Exploit, Third Party Advisory x_refsource_misc
https://huntr.dev/bounties/2-other-monica/

Scores

CVSS v3 5.4
EPSS 0.0327
EPSS Percentile 86.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
monicahq/monica 2.19.1
Published Feb 22, 2021
Tracked Since Feb 18, 2026