Vulnerabilities > Rocket Chat
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-23 | CVE-2022-35250 | Incorrect Permission Assignment for Critical Resource vulnerability in Rocket.Chat A privilege escalation vulnerability exists in Rocket.chat <v5 which made it possible to elevate privileges for any authenticated user to view Direct messages without appropriate permissions. | 4.3 |
| 2022-09-23 | CVE-2022-35251 | Cross-site Scripting vulnerability in Rocket.Chat A cross-site scripting vulnerability exists in Rocket.chat <v5 due to style injection in the complete chat window, an adversary is able to manipulate not only the style of it, but will also be able to block functionality as well as hijacking the content of targeted users. | 5.4 |
| 2022-04-01 | CVE-2022-21830 | Cross-site Scripting vulnerability in Rocket.Chat Livechat A blind self XSS vulnerability exists in RocketChat LiveChat <v1.9 that could allow an attacker to trick a victim pasting malicious code in their chat instance. | 6.1 |
| 2021-10-18 | CVE-2020-8291 | Cross-site Scripting vulnerability in Rocket.Chat A link preview rendering issue in Rocket.Chat versions before 3.9 could lead to potential XSS attacks. | 6.1 |
| 2021-08-30 | CVE-2021-32832 | Resource Exhaustion vulnerability in Rocket.Chat Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. | 6.5 |
| 2021-08-09 | CVE-2021-22910 | Unspecified vulnerability in Rocket.Chat A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an endpoint which could result in a NoSQL injection, potentially leading to RCE. | 9.8 |
| 2021-07-05 | CVE-2020-26763 | Unspecified vulnerability in Rocket.Chat 2.17.11 The Rocket.Chat desktop application 2.17.11 opens external links without user interaction. | 7.5 |
| 2021-05-27 | CVE-2021-22892 | Information Exposure Through Discrepancy vulnerability in Rocket.Chat An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed email addresses to be disclosed by enumeration and validation checks. | 7.5 |
| 2021-05-27 | CVE-2021-22911 | Unspecified vulnerability in Rocket.Chat 3.11.0/3.12.0/3.13.0 A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE. | 9.8 |
| 2021-03-26 | CVE-2021-22886 | Cross-site Scripting vulnerability in Rocket.Chat Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting (XSS) using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message. | 6.1 |