CVE-2023-50465: 
NixOS vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) version 4.0.0. The vulnerability allows an authenticated user to execute arbitrary web scripts through uploading a malicious SVG document (NVD, CVE). The vulnerability was discovered and disclosed on December 10, 2023.

The vulnerability is classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. It has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability specifically involves the document upload functionality where SVG files are not properly sanitized before being stored and rendered (NVD).

When successfully exploited, this vulnerability allows authenticated attackers to inject and execute arbitrary web scripts in the context of other users' browsers who access the malicious SVG file. This could lead to theft of sensitive information, session hijacking, or other client-side attacks (NVD).

The vulnerability has been patched in subsequent versions after 4.0.0. Users are advised to upgrade to the latest version of Monica to mitigate this security issue (Monica Releases).