6.1
CVE-2021-22886
- EPSS 0.75%
- Veröffentlicht 26.03.2021 19:15:11
- Zuletzt bearbeitet 21.11.2024 05:50:50
- Quelle support@hackerone.com
- CVE-Watchlists
- Unerledigt
LoginRocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting (XSS) using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Rocket.Chat ≫ Rocket.Chat Version < 3.8.8
Rocket.Chat ≫ Rocket.Chat Version >= 3.9.0 < 3.9.7
Rocket.Chat ≫ Rocket.Chat Version >= 3.10.0 < 3.10.5
Rocket.Chat ≫ Rocket.Chat Version3.11.0 Updaterc0
Rocket.Chat ≫ Rocket.Chat Version3.11.0 Updaterc1
Rocket.Chat ≫ Rocket.Chat Version3.11.0 Updaterc2
Rocket.Chat ≫ Rocket.Chat Version3.11.0 Updaterc3
Rocket.Chat ≫ Rocket.Chat Version3.11.0 Updaterc4
Rocket.Chat ≫ Rocket.Chat Version3.11.0 Updaterc5
Rocket.Chat ≫ Rocket.Chat Version3.11.0 Updaterc6
Rocket.Chat ≫ Rocket.Chat Version3.11.0 Updaterc7
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.75% | 0.728 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.