Vulnerabilities > Rocket Chat
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-09 | CVE-2023-28316 | Session Fixation vulnerability in Rocket.Chat A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where other active sessions are not invalidated upon activating 2FA. | 9.8 |
| 2023-05-09 | CVE-2023-28317 | Unspecified vulnerability in Rocket.Chat A vulnerability has been discovered in Rocket.Chat, where editing messages can change the original timestamp, causing the UI to display messages in an incorrect order. | 5.3 |
| 2023-05-09 | CVE-2023-28318 | Unspecified vulnerability in Rocket.Chat A vulnerability has been discovered in Rocket.Chat, where messages can be hidden regardless of the Message_KeepHistory or Message_ShowDeletedStatus server configuration. | 5.3 |
| 2023-03-10 | CVE-2023-23911 | Inadequate Encryption Strength vulnerability in Rocket.Chat An improper access control vulnerability exists prior to v6 that could allow an attacker to break the E2E encryption of a chat room by a user changing the group key of a chat room. | 7.5 |
| 2023-02-23 | CVE-2023-23917 | Unspecified vulnerability in Rocket.Chat A prototype pollution vulnerability exists in Rocket.Chat server <5.2.0 that could allow an attacker to a RCE under the admin account. | 8.8 |
| 2022-12-23 | CVE-2022-44567 | OS Command Injection vulnerability in Rocket.Chat A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal(), which may lead to remote code execution (internalVideoChatWindow.ts#L17). | 9.8 |
| 2022-09-23 | CVE-2022-32211 | SQL Injection vulnerability in Rocket.Chat A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retrieve a reset password token through or a 2fa secret. | 8.8 |
| 2022-09-23 | CVE-2022-32218 | Information Exposure Through Discrepancy vulnerability in Rocket.Chat An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries. | 4.3 |
| 2022-09-23 | CVE-2022-32220 | Missing Authorization vulnerability in Rocket.Chat An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room. | 6.5 |
| 2022-09-23 | CVE-2022-32227 | Cleartext Transmission of Sensitive Information vulnerability in Rocket.Chat A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth tokens by having the permission "view-full-other-user-info", this could cause an oauth token leak in the product. | 6.5 |