CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2021-22886
https://notcve.org/view.php?id=CVE-2021-22886
26 Mar 2021 — Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting (XSS) using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app. Rocket.Chat versiones anteriores a 3.11, 3.10.5, 3.9.7, 3.8.8, es vulnerable a ataques de tipo cross-site scripting (XSS) persistente que usan etiquetas markdown anidadas que permiten a un atacante remoto inyectar JavaScript arbitrario e... • https://docs.rocket.chat/guides/security/security-updates • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8292
https://notcve.org/view.php?id=CVE-2020-8292
21 Jan 2021 — Rocket.Chat server before 3.9.0 is vulnerable to a self cross-site scripting (XSS) vulnerability via the drag & drop functionality in message boxes. Un servidor Rocket.Chat versiones anteriores a 3.9.0, es susceptible a una vulnerabilidad de tipo cross-site scripting (XSS) propio por medio de la funcionalidad drag & drop en los cuadros de mensaje • https://docs.rocket.chat/guides/security/security-updates • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8288
https://notcve.org/view.php?id=CVE-2020-8288
21 Jan 2021 — The `specializedRendering` function in Rocket.Chat server before 3.9.2 allows a cross-site scripting (XSS) vulnerability by way of the `value` parameter. La función "SpecialtyRendering" en el servidor Rocket.Chat versiones anteriores a 3.9.2, permite una vulnerabilidad de tipo cross-site scripting (XSS) mediante el parámetro "value" • https://docs.rocket.chat/guides/security/security-updates • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 33%CPEs: 1EXPL: 7CVE-2020-28208 – Rocket.Chat 3.7.1 Email Address Enumeration
https://notcve.org/view.php?id=CVE-2020-28208
07 Jan 2021 — An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1. Se presenta una vulnerabilidad de enumeración de direcciones de correo electrónico en la función password reset de Rocket.Chat versiones hasta 3.9.1 Rocket.Chat versions 3.7.1 and below suffers from an email address enumeration vulnerability. • https://packetstorm.news/files/id/160845 • CWE-203: Observable Discrepancy •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2020-29594
https://notcve.org/view.php?id=CVE-2020-29594
30 Dec 2020 — Rocket.Chat before 0.74.4, 1.x before 1.3.4, 2.x before 2.4.13, 3.x before 3.7.3, 3.8.x before 3.8.3, and 3.9.x before 3.9.1 mishandles SAML login. Rocket.Chat versiones anteriores a 0.74.4, versiones 1.x anteriores a 1.3.4, versiones 2.x anteriores a 2.4.13, versiones 3.x anteriores a 3.7.3, versiones 3.8.x anteriores a 3.8.3 y versiones 3.9.x anteriores a 3.9.1, maneja inapropiadamente el inicio de sesión de SAML. • https://github.com/RocketChat/Rocket.Chat/compare/3.8.2...3.8.3 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15926
https://notcve.org/view.php?id=CVE-2020-15926
18 Aug 2020 — Rocket.Chat through 3.4.2 allows XSS where an attacker can send a specially crafted message to a channel or in a direct message to the client which results in remote code execution on the client side. Rocket.Chat versiones hasta 3.4.2, permite un ataque de tipo XSS donde un atacante puede enviar un mensaje especialmente diseñado hacia un canal o en un mensaje directo al cliente que resulta en la ejecución de código remota en el lado del cliente. • https://blog.redteam.pl/2020/08/rocket-chat-xss-rce-cve-2020-15926.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 3CVE-2019-17220 – Rocket.Chat 2.1.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-17220
21 Oct 2019 — Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line. Rocket.Chat versiones anteriores a 2.1.0, permite un ataque de tipo XSS por medio de una URL en una línea ![title]. Rocket.Chat version 2.1.0 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/154944 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-13878
https://notcve.org/view.php?id=CVE-2018-13878
11 Jul 2018 — An XSS issue was discovered in packages/rocketchat-mentions/Mentions.js in Rocket.Chat before 0.65. The real name of a username is displayed unescaped when the user is mentioned (using the @ symbol) in a channel or private chat. Consequently, it is possible to exfiltrate the secret token of every user and also admins in the channel. Se ha descubierto un problema de Cross-Site Scripting (XSS) en packages/rocketchat-mentions/Mentions.js en Rocket.Chat en versiones anteriores a la 0.65. El nombre real de un no... • https://github.com/RocketChat/Rocket.Chat/pull/10793 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-13879
https://notcve.org/view.php?id=CVE-2018-13879
11 Jul 2018 — A reflected XSS issue was discovered in the registration form in Rocket.Chat before 0.66. When one creates an account, the next step will ask for a username. This field will not save HTML control characters but an error will be displayed that shows the attempted username unescaped via packages/rocketchat-ui-login/client/username/username.js in packages/rocketchat-ui-login/client/username/username.html. Se ha descubierto un problema de Cross-Site Scripting (XSS) reflejado en el formulario de registro en Rock... • https://github.com/RocketChat/Rocket.Chat/issues/10795 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-1000493
https://notcve.org/view.php?id=CVE-2017-1000493
03 Jan 2018 — Rocket.Chat Server version 0.59 and prior is vulnerable to a NoSQL injection leading to administrator account takeover Rocket.Chat Server, en su versión 0.59 y anteriores, es vulnerable a una inyección NoSQL que conduce a la toma de control de la cuenta de administrador. • http://blog.sbarbeau.fr/2018/03/nosql-injection-leading-to.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •