vulnerability cross-site scripting (xss) - stored (cwe-79)
severity 6.1
language php
registry other


Stored Cross Site Scripting (Authenticated) via Unvalidated Input

✍️ Description

Monica CRM allows users to personalize the contact field types from personalization page in settings. But it does not validate the protocol user adds which can allow an attacker to use the javascript: protocol to create links that can execute JavaScript on the contact's profile page.

🕵️‍♂️ Proof of Concept

Given you have installed the Monica CRM, login and visit /settings/personalization page to add the protocol. Create a new field type, name it whatever you want and in the protocol, type javascript: Now save it and in the profile page of a contact, click "Add" in Contact information box. Now select the field type you created from the dropdown and add any JavaScript payload for example, alert('xss') PoC

💥 Impact

Stored Cross Site Scripting