CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8288
https://notcve.org/view.php?id=CVE-2020-8288
The `specializedRendering` function in Rocket.Chat server before 3.9.2 allows a cross-site scripting (XSS) vulnerability by way of the `value` parameter. La función "SpecialtyRendering" en el servidor Rocket.Chat versiones anteriores a 3.9.2, permite una vulnerabilidad de tipo cross-site scripting (XSS) mediante el parámetro "value" • https://docs.rocket.chat/guides/security/security-updates https://hackerone.com/reports/899954 https://rocket.chat/xss-vulnerability-hotfix-available-for-all-affected-versions • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 2%CPEs: 1EXPL: 6CVE-2020-28208 – Rocket.Chat 3.7.1 Email Address Enumeration
https://notcve.org/view.php?id=CVE-2020-28208
An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1. Se presenta una vulnerabilidad de enumeración de direcciones de correo electrónico en la función password reset de Rocket.Chat versiones hasta 3.9.1 Rocket.Chat versions 3.7.1 and below suffers from an email address enumeration vulnerability. • http://packetstormsecurity.com/files/160845/Rocket.Chat-3.7.1-Email-Address-Enumeration.html http://seclists.org/fulldisclosure/2021/Jan/32 http://seclists.org/fulldisclosure/2021/Jan/43 http://www.openwall.com/lists/oss-security/2021/01/07/1 http://www.openwall.com/lists/oss-security/2021/01/08/1 http://www.openwall.com/lists/oss-security/2021/01/13/1 https://trovent.github.io/security-advisories/TRSA-2010-01/TRSA-2010-01.txt https://trovent.io/security-advisory-201 • CWE-203: Observable Discrepancy •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2020-29594
https://notcve.org/view.php?id=CVE-2020-29594
Rocket.Chat before 0.74.4, 1.x before 1.3.4, 2.x before 2.4.13, 3.x before 3.7.3, 3.8.x before 3.8.3, and 3.9.x before 3.9.1 mishandles SAML login. Rocket.Chat versiones anteriores a 0.74.4, versiones 1.x anteriores a 1.3.4, versiones 2.x anteriores a 2.4.13, versiones 3.x anteriores a 3.7.3, versiones 3.8.x anteriores a 3.8.3 y versiones 3.9.x anteriores a 3.9.1, maneja inapropiadamente el inicio de sesión de SAML. • https://github.com/RocketChat/Rocket.Chat/compare/3.8.2...3.8.3 https://github.com/RocketChat/Rocket.Chat/releases/tag/3.9.1 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15926
https://notcve.org/view.php?id=CVE-2020-15926
Rocket.Chat through 3.4.2 allows XSS where an attacker can send a specially crafted message to a channel or in a direct message to the client which results in remote code execution on the client side. Rocket.Chat versiones hasta 3.4.2, permite un ataque de tipo XSS donde un atacante puede enviar un mensaje especialmente diseñado hacia un canal o en un mensaje directo al cliente que resulta en la ejecución de código remota en el lado del cliente. • https://blog.redteam.pl/2020/08/rocket-chat-xss-rce-cve-2020-15926.html https://github.com/RocketChat/Rocket.Chat/commits/develop https://github.com/RocketChat/Rocket.Chat/pull/18356 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-17220 – Rocket.Chat 2.1.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-17220
Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line. Rocket.Chat versiones anteriores a 2.1.0, permite un ataque de tipo XSS por medio de una URL en una línea ![title]. Rocket.Chat version 2.1.0 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/47537 http://packetstormsecurity.com/files/154944/Rocket.Chat-2.1.0-Cross-Site-Scripting.html https://github.com/RocketChat/Rocket.Chat/commits/develop https://github.com/RocketChat/Rocket.Chat/releases https://www.nezami.me • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •