CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42027
https://notcve.org/view.php?id=CVE-2024-42027
The E2EE password entropy generated by Rocket.Chat Mobile prior to version 4.5.1 is insufficient, allowing attackers to crack it if they have the appropriate time and resources. • https://hackerone.com/reports/2546437 • CWE-1391: Use of Weak Credentials •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39713
https://notcve.org/view.php?id=CVE-2024-39713
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1. • https://hackerone.com/reports/1886954 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37405
https://notcve.org/view.php?id=CVE-2024-37405
Livechat messages can be leaked by combining two NoSQL injections affecting livechat:loginByToken (pre-authentication) and livechat:loadHistory. • https://hackerone.com/reports/2580062 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28357
https://notcve.org/view.php?id=CVE-2023-28357
A vulnerability has been identified in Rocket.Chat, where the ACL checks in the Slash Command /mute occur after checking whether a user is a member of a given channel, leaking private channel members to unauthorized users. This allows authenticated users to enumerate whether a username is a member of a channel that they do not have access to. • https://hackerone.com/reports/1445810 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28325
https://notcve.org/view.php?id=CVE-2023-28325
An improper authorization vulnerability exists in Rocket.Chat <6.0 that could allow a hacker to manipulate the rid parameter and change the updateMessage method that only checks whether the user is allowed to edit message in the target room. • https://hackerone.com/reports/1406479 • CWE-285: Improper Authorization CWE-287: Improper Authentication •