Vulnerabilities > Rocket Chat > Rocket Chat > 3.6.1

DATE CVE VULNERABILITY TITLE RISK
2023-05-11 CVE-2023-28325 Improper Authentication vulnerability in Rocket.Chat
An improper authorization vulnerability exists in Rocket.Chat <6.0 that could allow a hacker to manipulate the rid parameter and change the updateMessage method that only checks whether the user is allowed to edit message in the target room.
network
low complexity
rocket-chat CWE-287
6.5
2023-05-11 CVE-2023-28356 Resource Exhaustion vulnerability in Rocket.Chat
A vulnerability has been identified where a maliciously crafted message containing a specific chain of characters can cause the chat to enter a hot loop on one of the processes, consuming ~120% CPU and rendering the service unresponsive.
network
low complexity
rocket-chat CWE-400
7.5
2023-05-11 CVE-2023-28357 Information Exposure vulnerability in Rocket.Chat
A vulnerability has been identified in Rocket.Chat, where the ACL checks in the Slash Command /mute occur after checking whether a user is a member of a given channel, leaking private channel members to unauthorized users.
network
low complexity
rocket-chat CWE-200
4.3
2023-05-11 CVE-2023-28358 Cross-site Scripting vulnerability in Rocket.Chat
A vulnerability has been discovered in Rocket.Chat where a markdown parsing issue in the "Search Messages" feature allows the insertion of malicious tags.
network
low complexity
rocket-chat CWE-79
6.1
2023-05-11 CVE-2023-28359 SQL Injection vulnerability in Rocket.Chat
A NoSQL injection vulnerability has been identified in the listEmojiCustom method call within Rocket.Chat.
network
low complexity
rocket-chat CWE-89
5.3
2023-03-10 CVE-2023-23911 Inadequate Encryption Strength vulnerability in Rocket.Chat
An improper access control vulnerability exists prior to v6 that could allow an attacker to break the E2E encryption of a chat room by a user changing the group key of a chat room.
network
low complexity
rocket-chat CWE-326
7.5
2023-02-23 CVE-2023-23917 Unspecified vulnerability in Rocket.Chat
A prototype pollution vulnerability exists in Rocket.Chat server <5.2.0 that could allow an attacker to a RCE under the admin account.
network
low complexity
rocket-chat
8.8
2022-09-23 CVE-2022-32211 SQL Injection vulnerability in Rocket.Chat
A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retrieve a reset password token through or a 2fa secret.
network
low complexity
rocket-chat CWE-89
8.8
2022-09-23 CVE-2022-32218 Information Exposure Through Discrepancy vulnerability in Rocket.Chat
An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries.
network
low complexity
rocket-chat CWE-203
4.3
2022-09-23 CVE-2022-32220 Missing Authorization vulnerability in Rocket.Chat
An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.
network
low complexity
rocket-chat CWE-862
6.5