CVE-2024-39713
https://notcve.org/view.php?id=CVE-2024-39713
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1. • https://hackerone.com/reports/1886954 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2024-37405
https://notcve.org/view.php?id=CVE-2024-37405
Livechat messages can be leaked by combining two NoSQL injections affecting livechat:loginByToken (pre-authentication) and livechat:loadHistory. • https://hackerone.com/reports/2580062 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-28357
https://notcve.org/view.php?id=CVE-2023-28357
A vulnerability has been identified in Rocket.Chat, where the ACL checks in the Slash Command /mute occur after checking whether a user is a member of a given channel, leaking private channel members to unauthorized users. This allows authenticated users to enumerate whether a username is a member of a channel that they do not have access to. • https://hackerone.com/reports/1445810 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-28325
https://notcve.org/view.php?id=CVE-2023-28325
An improper authorization vulnerability exists in Rocket.Chat <6.0 that could allow a hacker to manipulate the rid parameter and change the updateMessage method that only checks whether the user is allowed to edit message in the target room. • https://hackerone.com/reports/1406479 • CWE-285: Improper Authorization CWE-287: Improper Authentication •
CVE-2023-28356
https://notcve.org/view.php?id=CVE-2023-28356
A vulnerability has been identified where a maliciously crafted message containing a specific chain of characters can cause the chat to enter a hot loop on one of the processes, consuming ~120% CPU and rendering the service unresponsive. • https://hackerone.com/reports/1461340 • CWE-400: Uncontrolled Resource Consumption •