RSS   Vulnerabilities for 'Rocket.chat'   RSS

2021-10-18
 
CVE-2020-8291

CWE-79
 

 
A link preview rendering issue in Rocket.Chat versions before 3.9 could lead to potential XSS attacks.

 
2021-08-09
 
CVE-2021-22910

CWE-74
 

 
A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an endpoint which could result in a NoSQL injection, potentially leading to RCE.

 
2021-07-05
 
CVE-2020-26763

NVD-CWE-noinfo
 

 
The Rocket.Chat desktop application 2.17.11 opens external links without user interaction.

 
2021-03-26
 
CVE-2021-22886

CWE-79
 

 
Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting (XSS) using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app.

 
2021-01-26
 
CVE-2020-8292

CWE-79
 

 
Rocket.Chat server before 3.9.0 is vulnerable to a self cross-site scripting (XSS) vulnerability via the drag & drop functionality in message boxes.

 
 
CVE-2020-8288

CWE-79
 

 
The `specializedRendering` function in Rocket.Chat server before 3.9.2 allows a cross-site scripting (XSS) vulnerability by way of the `value` parameter.

 
2021-01-08
 
CVE-2020-28208

CWE-203
 

 
An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1.

 
2020-12-30
 
CVE-2020-29594

NVD-CWE-noinfo
 

 
Rocket.Chat before 0.74.4, 1.x before 1.3.4, 2.x before 2.4.13, 3.x before 3.7.3, 3.8.x before 3.8.3, and 3.9.x before 3.9.1 mishandles SAML login.

 
2020-08-18
 
CVE-2020-15926

CWE-79
 

 
Rocket.Chat through 3.4.2 allows XSS where an attacker can send a specially crafted message to a channel or in a direct message to the client which results in remote code execution on the client side.

 
2018-01-02
 
CVE-2017-1000493

CWE-74
 

 
Rocket.Chat Server version 0.59 and prior is vulnerable to a NoSQL injection leading to administrator account takeover

 


Copyright 2024, cxsecurity.com

 

Back to Top