CVE-2024-54951

MEDIUM

Monica 4.1.2 - Stored Cross-Site Scripting via 'HOW YOU MET' Customization

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-54951. PoCs published by Allevon412.

AI-analyzed exploit summary This repository documents a stored XSS vulnerability in Monica Docker v. 4.1.2, where malicious JavaScript payloads can be injected into contact name fields and executed when viewed in the 'HOW YOU MET' section. The writeup includes step-by-step instructions with screenshots but no exploit code.

Description

Monica 4.1.2 is vulnerable to Cross Site Scripting (XSS). A malicious user can create a malformed contact and use that contact in the "HOW YOU MET" customization options to trigger the XSS.

Exploits (1)

nomisec WRITEUP

by Allevon412 · poc

https://github.com/Allevon412/CVE-2024-54951

View Code ZIP pw:eip

This repository documents a stored XSS vulnerability in Monica Docker v. 4.1.2, where malicious JavaScript payloads can be injected into contact name fields and executed when viewed in the 'HOW YOU MET' section. The writeup includes step-by-step instructions with screenshots but no exploit code.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Monica Docker v. 4.1.2

Auth required

Prerequisites: Authenticated access to the Monica application · Ability to create or edit contacts

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://github.com/Allevon412/Monica-Stored-XSS-Vulnerability

Scores

CVSS v3 5.4

EPSS 0.0046

EPSS Percentile 36.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

monicahq/monica 4.1.2

Published Feb 13, 2025

Tracked Since Feb 18, 2026