Vulnerabilities > Rocket Chat
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-09 | CVE-2023-28316 | Session Fixation vulnerability in Rocket.Chat A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where other active sessions are not invalidated upon activating 2FA. | 9.8 |
| 2023-05-09 | CVE-2023-28317 | Unspecified vulnerability in Rocket.Chat A vulnerability has been discovered in Rocket.Chat, where editing messages can change the original timestamp, causing the UI to display messages in an incorrect order. | 5.3 |
| 2023-05-09 | CVE-2023-28318 | Unspecified vulnerability in Rocket.Chat A vulnerability has been discovered in Rocket.Chat, where messages can be hidden regardless of the Message_KeepHistory or Message_ShowDeletedStatus server configuration. | 5.3 |
| 2023-03-10 | CVE-2023-23911 | Inadequate Encryption Strength vulnerability in Rocket.Chat An improper access control vulnerability exists prior to v6 that could allow an attacker to break the E2E encryption of a chat room by a user changing the group key of a chat room. | 7.5 |
| 2023-02-23 | CVE-2023-23917 | Unspecified vulnerability in Rocket.Chat A prototype pollution vulnerability exists in Rocket.Chat server <5.2.0 that could allow an attacker to a RCE under the admin account. | 8.8 |
| 2022-12-23 | CVE-2022-44567 | OS Command Injection vulnerability in Rocket.Chat A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal(), which may lead to remote code execution (internalVideoChatWindow.ts#L17). | 9.8 |
| 2022-09-23 | CVE-2022-30124 | Improper Authentication vulnerability in Rocket.Chat An improper authentication vulnerability exists in Rocket.Chat Mobile App <4.14.1.22788 that allowed an attacker with physical access to a mobile device to bypass local authentication (PIN code). | 6.8 |
| 2022-09-23 | CVE-2022-32211 | SQL Injection vulnerability in Rocket.Chat A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retrieve a reset password token through or a 2fa secret. | 8.8 |
| 2022-09-23 | CVE-2022-32217 | Information Exposure Through Log Files vulnerability in Rocket.Chat A cleartext storage of sensitive information exists in Rocket.Chat <v4.6.4 due to Oauth token being leaked in plaintext in Rocket.chat logs. | 5.3 |
| 2022-09-23 | CVE-2022-32218 | Information Exposure Through Discrepancy vulnerability in Rocket.Chat An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries. | 4.3 |