Vulnerabilities > Rocket Chat > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-23 | CVE-2022-35249 | Missing Authorization vulnerability in Rocket.Chat A information disclosure vulnerability exists in Rocket.Chat <v5 where the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room. | 4.3 |
| 2022-09-23 | CVE-2022-35250 | Incorrect Permission Assignment for Critical Resource vulnerability in Rocket.Chat A privilege escalation vulnerability exists in Rocket.chat <v5 which made it possible to elevate privileges for any authenticated user to view Direct messages without appropriate permissions. | 4.3 |
| 2022-09-23 | CVE-2022-35251 | Cross-site Scripting vulnerability in Rocket.Chat A cross-site scripting vulnerability exists in Rocket.chat <v5 due to style injection in the complete chat window, an adversary is able to manipulate not only the style of it, but will also be able to block functionality as well as hijacking the content of targeted users. | 5.4 |
| 2022-04-01 | CVE-2022-21830 | Cross-site Scripting vulnerability in Rocket.Chat Livechat A blind self XSS vulnerability exists in RocketChat LiveChat <v1.9 that could allow an attacker to trick a victim pasting malicious code in their chat instance. | 6.1 |
| 2021-10-18 | CVE-2020-8291 | Cross-site Scripting vulnerability in Rocket.Chat A link preview rendering issue in Rocket.Chat versions before 3.9 could lead to potential XSS attacks. | 6.1 |
| 2021-08-30 | CVE-2021-32832 | Unspecified vulnerability in Rocket.Chat Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. | 6.5 |
| 2021-03-26 | CVE-2021-22886 | Cross-site Scripting vulnerability in Rocket.Chat Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting (XSS) using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message. | 6.1 |
| 2021-01-26 | CVE-2020-8292 | Cross-site Scripting vulnerability in Rocket.Chat Rocket.Chat server before 3.9.0 is vulnerable to a self cross-site scripting (XSS) vulnerability via the drag & drop functionality in message boxes. | 5.4 |
| 2021-01-26 | CVE-2020-8288 | Cross-site Scripting vulnerability in Rocket.Chat The `specializedRendering` function in Rocket.Chat server before 3.9.2 allows a cross-site scripting (XSS) vulnerability by way of the `value` parameter. | 5.4 |
| 2021-01-08 | CVE-2020-28208 | Information Exposure Through Discrepancy vulnerability in Rocket.Chat An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1. | 5.3 |