Vulnerabilities > Rocket Chat > Rocket Chat > 3.3.2
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-05-11 | CVE-2023-28325 | Improper Authentication vulnerability in Rocket.Chat An improper authorization vulnerability exists in Rocket.Chat <6.0 that could allow a hacker to manipulate the rid parameter and change the updateMessage method that only checks whether the user is allowed to edit message in the target room. | 6.5 |
2023-05-11 | CVE-2023-28356 | Resource Exhaustion vulnerability in Rocket.Chat A vulnerability has been identified where a maliciously crafted message containing a specific chain of characters can cause the chat to enter a hot loop on one of the processes, consuming ~120% CPU and rendering the service unresponsive. | 7.5 |
2023-05-11 | CVE-2023-28357 | Information Exposure vulnerability in Rocket.Chat A vulnerability has been identified in Rocket.Chat, where the ACL checks in the Slash Command /mute occur after checking whether a user is a member of a given channel, leaking private channel members to unauthorized users. | 4.3 |
2023-05-11 | CVE-2023-28358 | Cross-site Scripting vulnerability in Rocket.Chat A vulnerability has been discovered in Rocket.Chat where a markdown parsing issue in the "Search Messages" feature allows the insertion of malicious tags. | 6.1 |
2023-05-11 | CVE-2023-28359 | SQL Injection vulnerability in Rocket.Chat A NoSQL injection vulnerability has been identified in the listEmojiCustom method call within Rocket.Chat. | 5.3 |
2023-03-10 | CVE-2023-23911 | Inadequate Encryption Strength vulnerability in Rocket.Chat An improper access control vulnerability exists prior to v6 that could allow an attacker to break the E2E encryption of a chat room by a user changing the group key of a chat room. | 7.5 |
2023-02-23 | CVE-2023-23917 | Unspecified vulnerability in Rocket.Chat A prototype pollution vulnerability exists in Rocket.Chat server <5.2.0 that could allow an attacker to a RCE under the admin account. | 8.8 |
2022-09-23 | CVE-2022-32211 | SQL Injection vulnerability in Rocket.Chat A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retrieve a reset password token through or a 2fa secret. | 8.8 |
2022-09-23 | CVE-2022-32218 | Information Exposure Through Discrepancy vulnerability in Rocket.Chat An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries. | 4.3 |
2022-09-23 | CVE-2022-32220 | Missing Authorization vulnerability in Rocket.Chat An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room. | 6.5 |