CVE-2018-13878
https://notcve.org/view.php?id=CVE-2018-13878
An XSS issue was discovered in packages/rocketchat-mentions/Mentions.js in Rocket.Chat before 0.65. The real name of a username is displayed unescaped when the user is mentioned (using the @ symbol) in a channel or private chat. Consequently, it is possible to exfiltrate the secret token of every user and also admins in the channel. Se ha descubierto un problema de Cross-Site Scripting (XSS) en packages/rocketchat-mentions/Mentions.js en Rocket.Chat en versiones anteriores a la 0.65. El nombre real de un nombre de usuario se muestra sin escapar cuando se menciona al usuario (con el símbolo @) en un canal o chat privado. • https://github.com/RocketChat/Rocket.Chat/pull/10793 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-1000493
https://notcve.org/view.php?id=CVE-2017-1000493
Rocket.Chat Server version 0.59 and prior is vulnerable to a NoSQL injection leading to administrator account takeover Rocket.Chat Server, en su versión 0.59 y anteriores, es vulnerable a una inyección NoSQL que conduce a la toma de control de la cuenta de administrador. • http://blog.sbarbeau.fr/2018/03/nosql-injection-leading-to.html https://github.com/RocketChat/Rocket.Chat/pull/8408 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •