Vulnerabilities > Rocket Chat > Rocket Chat > 3.0.12
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-23 | CVE-2022-32227 | Cleartext Transmission of Sensitive Information vulnerability in Rocket.Chat A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth tokens by having the permission "view-full-other-user-info", this could cause an oauth token leak in the product. | 6.5 |
| 2022-09-23 | CVE-2022-32228 | Unspecified vulnerability in Rocket.Chat An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 since the getReadReceipts Meteor server method does not properly filter user inputs that are passed to MongoDB queries, allowing $regex queries to enumerate arbitrary Message IDs. | 4.3 |
| 2022-09-23 | CVE-2022-32229 | Unspecified vulnerability in Rocket.Chat A information disclosure vulnerability exists in Rockert.Chat <v5 due to /api/v1/chat.getThreadsList lack of sanitization of user inputs and can therefore leak private thread messages to unauthorized users via Mongo DB injection. | 4.3 |
| 2022-09-23 | CVE-2022-35246 | Unspecified vulnerability in Rocket.Chat A NoSQL-Injection information disclosure vulnerability vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 in the getS3FileUrl Meteor server method that can disclose arbitrary file upload URLs to users that should not be able to access. | 4.3 |
| 2022-09-23 | CVE-2022-35247 | Missing Authorization vulnerability in Rocket.Chat A information disclosure vulnerability exists in Rocket.chat <v5, <v4.8.2 and <v4.7.5 where the lack of ACL checks in the getRoomRoles Meteor method leak channel members with special roles to unauthorized clients. | 4.3 |
| 2022-09-23 | CVE-2022-35248 | Improper Authentication vulnerability in Rocket.Chat A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentication can be bypassed when telling the server to use CAS during login. | 8.8 |
| 2022-09-23 | CVE-2022-35249 | Missing Authorization vulnerability in Rocket.Chat A information disclosure vulnerability exists in Rocket.Chat <v5 where the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room. | 4.3 |
| 2022-09-23 | CVE-2022-35250 | Incorrect Permission Assignment for Critical Resource vulnerability in Rocket.Chat A privilege escalation vulnerability exists in Rocket.chat <v5 which made it possible to elevate privileges for any authenticated user to view Direct messages without appropriate permissions. | 4.3 |
| 2022-09-23 | CVE-2022-35251 | Cross-site Scripting vulnerability in Rocket.Chat A cross-site scripting vulnerability exists in Rocket.chat <v5 due to style injection in the complete chat window, an adversary is able to manipulate not only the style of it, but will also be able to block functionality as well as hijacking the content of targeted users. | 5.4 |
| 2021-10-18 | CVE-2020-8291 | Cross-site Scripting vulnerability in Rocket.Chat A link preview rendering issue in Rocket.Chat versions before 3.9 could lead to potential XSS attacks. | 6.1 |