Rocket.Chat

Rocket.Chat

53 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2026-23477

Exploit
  • EPSS 0.03%
  • Veröffentlicht 14.01.2026 18:16:05
  • Zuletzt bearbeitet 26.01.2026 18:03:24

Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This e...

7.5

CVE-2025-7974

  • EPSS 0.06%
  • Veröffentlicht 02.09.2025 19:46:21
  • Zuletzt bearbeitet 27.01.2026 18:39:15

rocket.chat Incorrect Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of rocket.chat. Authentication is not required to exploit this vulnerabil...

7.5

CVE-2025-5892

Exploit
  • EPSS 0.22%
  • Veröffentlicht 09.06.2025 19:31:05
  • Zuletzt bearbeitet 10.07.2025 16:24:57

A vulnerability, which was classified as problematic, has been found in RocketChat up to 7.6.1. This issue affects the function parseMessage of the file /apps/meteor/app/irc/server/servers/RFC2813/parseMessage.js. The manipulation of the argument lin...

6.7

CVE-2024-42027

  • EPSS 0.14%
  • Veröffentlicht 07.10.2024 13:15:15
  • Zuletzt bearbeitet 07.10.2024 19:37:18

The E2EE password entropy generated by Rocket.Chat Mobile prior to version 4.5.1 is insufficient, allowing attackers to crack it if they have the appropriate time and resources.

5.4

CVE-2024-47048

  • EPSS 0.14%
  • Veröffentlicht 25.09.2024 01:15:44
  • Zuletzt bearbeitet 25.03.2025 17:16:11

Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier allows stored XSS in the description and release notes of the marketplace and private apps.

7.5

CVE-2024-46935

  • EPSS 0.1%
  • Veröffentlicht 25.09.2024 01:15:44
  • Zuletzt bearbeitet 25.03.2025 17:16:10

Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to denial of service (DoS). Attackers who craft messages with specific characters may crash the workspace due to an issue in the message parser.

6.1

CVE-2024-46934

  • EPSS 0.11%
  • Veröffentlicht 25.09.2024 01:15:44
  • Zuletzt bearbeitet 25.03.2025 17:16:10

Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to DOM-based Cross-site Scripting (XSS). Attackers may be able to abuse the UpdateOTRAck method to forge a message that contains an XSS payload.

5.4

CVE-2024-45621

  • EPSS 0.16%
  • Veröffentlicht 02.09.2024 19:15:13
  • Zuletzt bearbeitet 13.03.2025 21:15:41

The Electron desktop application of Rocket.Chat through 6.3.4 allows stored XSS via links in an uploaded file, related to failure to use a separate browser upon encountering third-party external actions from PDF documents.

8.6

CVE-2024-39713

  • EPSS 89.28%
  • Veröffentlicht 05.08.2024 05:15:39
  • Zuletzt bearbeitet 06.09.2024 17:35:12

A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.

6.5

CVE-2024-37405

  • EPSS 0.33%
  • Veröffentlicht 12.07.2024 16:15:03
  • Zuletzt bearbeitet 21.11.2024 09:23:47

Livechat messages can be leaked by combining two NoSQL injections affecting livechat:loginByToken (pre-authentication) and livechat:loadHistory.