Vulnerabilities > Rocket Chat

DATE CVE VULNERABILITY TITLE RISK
2022-09-23 CVE-2022-32211 SQL Injection vulnerability in Rocket.Chat
A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retrieve a reset password token through or a 2fa secret.
network
low complexity
rocket-chat CWE-89
8.8
2022-09-23 CVE-2022-32218 Information Exposure Through Discrepancy vulnerability in Rocket.Chat
An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries.
network
low complexity
rocket-chat CWE-203
4.3
2022-09-23 CVE-2022-32220 Missing Authorization vulnerability in Rocket.Chat
An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.
network
low complexity
rocket-chat CWE-862
6.5
2022-09-23 CVE-2022-32227 Cleartext Transmission of Sensitive Information vulnerability in Rocket.Chat
A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth tokens by having the permission "view-full-other-user-info", this could cause an oauth token leak in the product.
network
low complexity
rocket-chat CWE-319
6.5
2022-09-23 CVE-2022-32228 Unspecified vulnerability in Rocket.Chat
An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 since the getReadReceipts Meteor server method does not properly filter user inputs that are passed to MongoDB queries, allowing $regex queries to enumerate arbitrary Message IDs.
network
low complexity
rocket-chat
4.3
2022-09-23 CVE-2022-32229 Unspecified vulnerability in Rocket.Chat
A information disclosure vulnerability exists in Rockert.Chat <v5 due to /api/v1/chat.getThreadsList lack of sanitization of user inputs and can therefore leak private thread messages to unauthorized users via Mongo DB injection.
network
low complexity
rocket-chat
4.3
2022-09-23 CVE-2022-35246 Unspecified vulnerability in Rocket.Chat
A NoSQL-Injection information disclosure vulnerability vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 in the getS3FileUrl Meteor server method that can disclose arbitrary file upload URLs to users that should not be able to access.
network
low complexity
rocket-chat
4.3
2022-09-23 CVE-2022-35248 Improper Authentication vulnerability in Rocket.Chat
A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentication can be bypassed when telling the server to use CAS during login.
network
low complexity
rocket-chat CWE-287
8.8
2022-09-23 CVE-2022-35249 Missing Authorization vulnerability in Rocket.Chat
A information disclosure vulnerability exists in Rocket.Chat <v5 where the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.
network
low complexity
rocket-chat CWE-862
4.3
2022-04-01 CVE-2022-21830 Cross-site Scripting vulnerability in Rocket.Chat Livechat
A blind self XSS vulnerability exists in RocketChat LiveChat <v1.9 that could allow an attacker to trick a victim pasting malicious code in their chat instance.
4.3