CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42027
https://notcve.org/view.php?id=CVE-2024-42027
07 Oct 2024 — The E2EE password entropy generated by Rocket.Chat Mobile prior to version 4.5.1 is insufficient, allowing attackers to crack it if they have the appropriate time and resources. • https://hackerone.com/reports/2546437 • CWE-1391: Use of Weak Credentials •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46934
https://notcve.org/view.php?id=CVE-2024-46934
24 Sep 2024 — Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to DOM-based Cross-site Scripting (XSS). Attackers may be able to abuse the UpdateOTRAck method to forge a message that contains an XSS payload. • https://docs.rocket.chat/docs/rocketchat-security-fixes-updates-and-advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46935
https://notcve.org/view.php?id=CVE-2024-46935
24 Sep 2024 — Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to denial of service (DoS). Attackers who craft messages with specific characters may crash the workspace due to an issue in the message parser. • https://docs.rocket.chat/docs/rocketchat-security-fixes-updates-and-advisories •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47048
https://notcve.org/view.php?id=CVE-2024-47048
24 Sep 2024 — Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier allows stored XSS in the description and release notes of the marketplace and private apps. • https://docs.rocket.chat/docs/rocketchat-security-fixes-updates-and-advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45621
https://notcve.org/view.php?id=CVE-2024-45621
02 Sep 2024 — The Electron desktop application of Rocket.Chat through 6.3.4 allows stored XSS via links in an uploaded file, related to failure to use a separate browser upon encountering third-party external actions from PDF documents. • https://github.com/RocketChat/Rocket.Chat/releases/tag/6.3.4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 71%CPEs: 1EXPL: 1CVE-2024-39713
https://notcve.org/view.php?id=CVE-2024-39713
05 Aug 2024 — A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1. • https://github.com/typical-pashochek/CVE-2024-39713 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37405
https://notcve.org/view.php?id=CVE-2024-37405
12 Jul 2024 — Livechat messages can be leaked by combining two NoSQL injections affecting livechat:loginByToken (pre-authentication) and livechat:loadHistory. • https://hackerone.com/reports/2580062 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29151
https://notcve.org/view.php?id=CVE-2024-29151
18 Mar 2024 — Rocket.Chat.Audit through 5ad78e8 depends on filecachetools, which does not exist in PyPI. Rocket.Chat.Audit hasta 5ad78e8 depende de filecachetools, que no existe en PyPI. • https://github.com/RocketChat/Rocket.Chat.Audit/blob/5ad78e8017a9e190602e8257c22500ded0d931a9/requirements.txt#L3 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28357
https://notcve.org/view.php?id=CVE-2023-28357
11 May 2023 — A vulnerability has been identified in Rocket.Chat, where the ACL checks in the Slash Command /mute occur after checking whether a user is a member of a given channel, leaking private channel members to unauthorized users. This allows authenticated users to enumerate whether a username is a member of a channel that they do not have access to. • https://hackerone.com/reports/1445810 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 0CVE-2023-28359
https://notcve.org/view.php?id=CVE-2023-28359
11 May 2023 — A NoSQL injection vulnerability has been identified in the listEmojiCustom method call within Rocket.Chat. This can be exploited by unauthenticated users when there is at least one custom emoji uploaded to the Rocket.Chat instance. The vulnerability causes a delay in the server response, with the potential for limited impact. • https://hackerone.com/reports/1757676 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •