CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-35249
https://notcve.org/view.php?id=CVE-2022-35249
23 Sep 2022 — A information disclosure vulnerability exists in Rocket.Chat
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2022-35248
https://notcve.org/view.php?id=CVE-2022-35248
23 Sep 2022 — A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentication can be bypassed when telling the server to use CAS during login. Se presenta una vulnerabilidad de autenticación inapropiada en Rocket.Chat versiones anteriores a v5, versiones anteriores a v4.8.2 y versiones anteriores a v4.7.5 que permitía omitir la autenticación de dos factores cuando era indicado al servidor que usara CAS durante el inicio de sesión. • https://hackerone.com/reports/1448268 • CWE-287: Improper Authentication •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-35251
https://notcve.org/view.php?id=CVE-2022-35251
23 Sep 2022 — A cross-site scripting vulnerability exists in Rocket.chat
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-32832 – ReDOS in Rocket.Chat
https://notcve.org/view.php?id=CVE-2021-32832
30 Aug 2021 — Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. In Rocket.Chat before versions 3.11.3, 3.12.2, and 3.13 an issue with certain regular expressions could lead potentially to Denial of Service. This was fixed in versions 3.11.3, 3.12.2, and 3.13. Rocket.Chat es una plataforma de comunicaciones de código abierto totalmente personalizable y desarrollada en JavaScript. En Rocket.Chat versiones anteriores a 3.11.3, 3.12.2 y 3.13, un problema con determinadas expres... • https://docs.rocket.chat/guides/security/security-updates • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1CVE-2021-22910
https://notcve.org/view.php?id=CVE-2021-22910
09 Aug 2021 — A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an endpoint which could result in a NoSQL injection, potentially leading to RCE. Se presenta una vulnerabilidad de saneo en Rocket.Chat server versiones anteriores a 3.13.2, anteriores a 3.12.4, anteriores a 3.11.4, que permitía realizar consultas a un endpoint que podía dar lugar a una inyección NoSQL, conllevando potencialmente a un RCE • https://blog.sonarsource.com/nosql-injections-in-rocket-chat • CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2021-22892
https://notcve.org/view.php?id=CVE-2021-22892
27 May 2021 — An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed email addresses to be disclosed by enumeration and validation checks. Se presenta una vulnerabilidad de divulgación de información en el servidor Rocket.Chat corregido en versiones v3.13, v3.12.2 y v3.11.3, que permitía que las direcciones de correo electrónico sean divulgadas mediante comprobaciones de enumeración y validación • https://hackerone.com/reports/1089116 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-203: Observable Discrepancy •
CVSS: 9.8EPSS: 92%CPEs: 3EXPL: 17CVE-2021-22911 – Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated)
https://notcve.org/view.php?id=CVE-2021-22911
27 May 2021 — A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE. Se presenta una vulnerabilidad de saneamiento de entrada inapropiada en el servidor Rocket.Chat versiones 3.11, 3.12 y 3.13, que podría conllevar a una inyección NoSQL no autenticada, resultando potencialmente en RCE • https://packetstorm.news/files/id/163419 • CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) •
CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2021-22886
https://notcve.org/view.php?id=CVE-2021-22886
26 Mar 2021 — Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting (XSS) using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app. Rocket.Chat versiones anteriores a 3.11, 3.10.5, 3.9.7, 3.8.8, es vulnerable a ataques de tipo cross-site scripting (XSS) persistente que usan etiquetas markdown anidadas que permiten a un atacante remoto inyectar JavaScript arbitrario e... • https://docs.rocket.chat/guides/security/security-updates • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •