Rocket.Chat

Rocket.Chat

57 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4.3

CVE-2022-35246

Exploit
  • EPSS 0.28%
  • Veröffentlicht 23.09.2022 19:15:13
  • Zuletzt bearbeitet 22.05.2025 20:15:24

A NoSQL-Injection information disclosure vulnerability vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 in the getS3FileUrl Meteor server method that can disclose arbitrary file upload URLs to users that should not be able to access.

4.3

CVE-2022-32229

Exploit
  • EPSS 0.45%
  • Veröffentlicht 23.09.2022 19:15:11
  • Zuletzt bearbeitet 22.05.2025 18:15:23

A information disclosure vulnerability exists in Rockert.Chat <v5 due to /api/v1/chat.getThreadsList lack of sanitization of user inputs and can therefore leak private thread messages to unauthorized users via Mongo DB injection.

4.3

CVE-2022-32228

Exploit
  • EPSS 0.45%
  • Veröffentlicht 23.09.2022 19:15:11
  • Zuletzt bearbeitet 22.05.2025 19:15:32

An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 since the getReadReceipts Meteor server method does not properly filter user inputs that are passed to MongoDB queries, allowing $regex queries to enumerate arbitr...

6.5

CVE-2022-32227

Exploit
  • EPSS 0.46%
  • Veröffentlicht 23.09.2022 19:15:11
  • Zuletzt bearbeitet 22.05.2025 19:15:32

A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth tokens by having the permission "view-full-other-user-info", this could cause an oauth token leak in the product.

4.3

CVE-2022-32226

Exploit
  • EPSS 0.15%
  • Veröffentlicht 23.09.2022 19:15:11
  • Zuletzt bearbeitet 22.05.2025 19:15:32

An improper access control vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to input data in the getUsersOfRoom Meteor server method is not type validated, so that MongoDB query operator objects are accepted by the server, so that ins...

6.5

CVE-2022-32220

Exploit
  • EPSS 0.36%
  • Veröffentlicht 23.09.2022 19:15:11
  • Zuletzt bearbeitet 22.05.2025 15:15:55

An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.

4.3

CVE-2022-32219

Exploit
  • EPSS 0.31%
  • Veröffentlicht 23.09.2022 19:15:11
  • Zuletzt bearbeitet 22.05.2025 15:15:55

An information disclosure vulnerability exists in Rocket.Chat <v4.7.5 which allowed the "users.list" REST endpoint gets a query parameter from JSON and runs Users.find(queryFromClientSide). This means virtually any authenticated user can access any d...

4.3

CVE-2022-32218

Exploit
  • EPSS 0.42%
  • Veröffentlicht 23.09.2022 19:15:11
  • Zuletzt bearbeitet 22.05.2025 19:15:31

An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries.

5.3

CVE-2022-32217

Exploit
  • EPSS 0.27%
  • Veröffentlicht 23.09.2022 19:15:11
  • Zuletzt bearbeitet 22.05.2025 19:15:31

A cleartext storage of sensitive information exists in Rocket.Chat <v4.6.4 due to Oauth token being leaked in plaintext in Rocket.chat logs.

8.8

CVE-2022-32211

Exploit
  • EPSS 0.53%
  • Veröffentlicht 23.09.2022 19:15:11
  • Zuletzt bearbeitet 27.05.2025 19:15:21

A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retrieve a reset password token through or a 2fa secret.