CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46934
https://notcve.org/view.php?id=CVE-2024-46934
24 Sep 2024 — Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to DOM-based Cross-site Scripting (XSS). Attackers may be able to abuse the UpdateOTRAck method to forge a message that contains an XSS payload. • https://docs.rocket.chat/docs/rocketchat-security-fixes-updates-and-advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46935
https://notcve.org/view.php?id=CVE-2024-46935
24 Sep 2024 — Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to denial of service (DoS). Attackers who craft messages with specific characters may crash the workspace due to an issue in the message parser. • https://docs.rocket.chat/docs/rocketchat-security-fixes-updates-and-advisories •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47048
https://notcve.org/view.php?id=CVE-2024-47048
24 Sep 2024 — Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier allows stored XSS in the description and release notes of the marketplace and private apps. • https://docs.rocket.chat/docs/rocketchat-security-fixes-updates-and-advisories • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45621
https://notcve.org/view.php?id=CVE-2024-45621
02 Sep 2024 — The Electron desktop application of Rocket.Chat through 6.3.4 allows stored XSS via links in an uploaded file, related to failure to use a separate browser upon encountering third-party external actions from PDF documents. • https://github.com/RocketChat/Rocket.Chat/releases/tag/6.3.4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 79%CPEs: 1EXPL: 1CVE-2024-39713
https://notcve.org/view.php?id=CVE-2024-39713
05 Aug 2024 — A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1. • https://github.com/typical-pashochek/CVE-2024-39713 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37405
https://notcve.org/view.php?id=CVE-2024-37405
12 Jul 2024 — Livechat messages can be leaked by combining two NoSQL injections affecting livechat:loginByToken (pre-authentication) and livechat:loadHistory. • https://hackerone.com/reports/2580062 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28325
https://notcve.org/view.php?id=CVE-2023-28325
11 May 2023 — An improper authorization vulnerability exists in Rocket.Chat <6.0 that could allow a hacker to manipulate the rid parameter and change the updateMessage method that only checks whether the user is allowed to edit message in the target room. • https://hackerone.com/reports/1406479 • CWE-285: Improper Authorization CWE-287: Improper Authentication CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28356
https://notcve.org/view.php?id=CVE-2023-28356
11 May 2023 — A vulnerability has been identified where a maliciously crafted message containing a specific chain of characters can cause the chat to enter a hot loop on one of the processes, consuming ~120% CPU and rendering the service unresponsive. • https://hackerone.com/reports/1461340 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28357
https://notcve.org/view.php?id=CVE-2023-28357
11 May 2023 — A vulnerability has been identified in Rocket.Chat, where the ACL checks in the Slash Command /mute occur after checking whether a user is a member of a given channel, leaking private channel members to unauthorized users. This allows authenticated users to enumerate whether a username is a member of a channel that they do not have access to. • https://hackerone.com/reports/1445810 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28358
https://notcve.org/view.php?id=CVE-2023-28358
11 May 2023 — A vulnerability has been discovered in Rocket.Chat where a markdown parsing issue in the "Search Messages" feature allows the insertion of malicious tags. This can be exploited on servers with content security policy disabled possible leading to some issues attacks like account takeover. • https://hackerone.com/reports/1781131 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •