Rocket.Chat

Rocket.Chat

53 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2022-44567

  • EPSS 5.88%
  • Veröffentlicht 23.12.2022 15:15:15
  • Zuletzt bearbeitet 15.04.2025 15:16:00

A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal(), which may lead to remote code execution (internalVideoChatWindow.ts#L...

5.4

CVE-2022-35251

Exploit
  • EPSS 0.31%
  • Veröffentlicht 23.09.2022 19:15:14
  • Zuletzt bearbeitet 22.05.2025 19:15:34

A cross-site scripting vulnerability exists in Rocket.chat <v5 due to style injection in the complete chat window, an adversary is able to manipulate not only the style of it, but will also be able to block functionality as well as hijacking the cont...

4.3

CVE-2022-35250

Exploit
  • EPSS 0.28%
  • Veröffentlicht 23.09.2022 19:15:14
  • Zuletzt bearbeitet 22.05.2025 19:15:33

A privilege escalation vulnerability exists in Rocket.chat <v5 which made it possible to elevate privileges for any authenticated user to view Direct messages without appropriate permissions.

4.3

CVE-2022-35249

Exploit
  • EPSS 0.14%
  • Veröffentlicht 23.09.2022 19:15:14
  • Zuletzt bearbeitet 22.05.2025 19:15:33

A information disclosure vulnerability exists in Rocket.Chat <v5 where the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.

8.8

CVE-2022-35248

Exploit
  • EPSS 0.25%
  • Veröffentlicht 23.09.2022 19:15:14
  • Zuletzt bearbeitet 21.11.2024 07:10:58

A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentication can be bypassed when telling the server to use CAS during login.

4.3

CVE-2022-35246

Exploit
  • EPSS 0.19%
  • Veröffentlicht 23.09.2022 19:15:13
  • Zuletzt bearbeitet 22.05.2025 20:15:24

A NoSQL-Injection information disclosure vulnerability vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 in the getS3FileUrl Meteor server method that can disclose arbitrary file upload URLs to users that should not be able to access.

4.3

CVE-2022-35247

Exploit
  • EPSS 0.29%
  • Veröffentlicht 23.09.2022 19:15:13
  • Zuletzt bearbeitet 22.05.2025 18:15:24

A information disclosure vulnerability exists in Rocket.chat <v5, <v4.8.2 and <v4.7.5 where the lack of ACL checks in the getRoomRoles Meteor method leak channel members with special roles to unauthorized clients.

4.3

CVE-2022-32229

Exploit
  • EPSS 0.31%
  • Veröffentlicht 23.09.2022 19:15:11
  • Zuletzt bearbeitet 22.05.2025 18:15:23

A information disclosure vulnerability exists in Rockert.Chat <v5 due to /api/v1/chat.getThreadsList lack of sanitization of user inputs and can therefore leak private thread messages to unauthorized users via Mongo DB injection.

4.3

CVE-2022-32228

Exploit
  • EPSS 0.31%
  • Veröffentlicht 23.09.2022 19:15:11
  • Zuletzt bearbeitet 22.05.2025 19:15:32

An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 since the getReadReceipts Meteor server method does not properly filter user inputs that are passed to MongoDB queries, allowing $regex queries to enumerate arbitr...

6.5

CVE-2022-32227

Exploit
  • EPSS 0.43%
  • Veröffentlicht 23.09.2022 19:15:11
  • Zuletzt bearbeitet 22.05.2025 19:15:32

A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth tokens by having the permission "view-full-other-user-info", this could cause an oauth token leak in the product.