CVE-2023-30789: 
NixOS vulnerability analysis and mitigation

MonicaHQ version 4.0.0 contains a Client-Side Template Injection (CSTI) vulnerability that allows an authenticated remote attacker to execute malicious code in the application via the people:id/work endpoint and job and company parameter. The vulnerability was discovered on March 30, 2023, and was publicly disclosed on April 17, 2023 (Fluid Advisory, MonicaHQ).

The vulnerability occurs due to improper validation of user-input data when creating and editing contact characteristics within the application. The issue has been assigned a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability allows for the injection of template expressions that can be evaluated by the application, such as mathematical expressions (e.g., {{7*7}}) and arbitrary JavaScript code execution (Fluid Advisory).

The vulnerability allows authenticated attackers to execute arbitrary JavaScript code in the context of other users' sessions. This can lead to various attacks including cookie theft, session hijacking, and potential CSRF attacks that could be used to change user email addresses or delete accounts (Fluid Advisory).

At the time of disclosure, there was no official patch available for this vulnerability. Users are advised to upgrade to newer versions of MonicaHQ when available or implement input validation controls to prevent template injection attacks (Fluid Advisory).