Vulnerabilities > Rocket Chat > Rocket Chat > 4.5.3

DATE CVE VULNERABILITY TITLE RISK
2023-03-10 CVE-2023-23911 Inadequate Encryption Strength vulnerability in Rocket.Chat
An improper access control vulnerability exists prior to v6 that could allow an attacker to break the E2E encryption of a chat room by a user changing the group key of a chat room.
network
low complexity
rocket-chat CWE-326
7.5
2023-02-23 CVE-2023-23917 Unspecified vulnerability in Rocket.Chat
A prototype pollution vulnerability exists in Rocket.Chat server <5.2.0 that could allow an attacker to a RCE under the admin account.
network
low complexity
rocket-chat
8.8
2022-09-23 CVE-2022-30124 Improper Authentication vulnerability in Rocket.Chat
An improper authentication vulnerability exists in Rocket.Chat Mobile App <4.14.1.22788 that allowed an attacker with physical access to a mobile device to bypass local authentication (PIN code).
low complexity
rocket-chat CWE-287
6.8
2022-09-23 CVE-2022-32217 Information Exposure Through Log Files vulnerability in Rocket.Chat
A cleartext storage of sensitive information exists in Rocket.Chat <v4.6.4 due to Oauth token being leaked in plaintext in Rocket.chat logs.
network
low complexity
rocket-chat CWE-532
5.3
2022-09-23 CVE-2022-32218 Information Exposure Through Discrepancy vulnerability in Rocket.Chat
An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was found to allow Message ID Enumeration with Regex MongoDB queries.
network
low complexity
rocket-chat CWE-203
4.3
2022-09-23 CVE-2022-32219 Information Exposure vulnerability in Rocket.Chat
An information disclosure vulnerability exists in Rocket.Chat <v4.7.5 which allowed the "users.list" REST endpoint gets a query parameter from JSON and runs Users.find(queryFromClientSide).
network
low complexity
rocket-chat CWE-200
4.3
2022-09-23 CVE-2022-32220 Missing Authorization vulnerability in Rocket.Chat
An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.
network
low complexity
rocket-chat CWE-862
6.5
2022-09-23 CVE-2022-32226 Improper Input Validation vulnerability in Rocket.Chat
An improper access control vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to input data in the getUsersOfRoom Meteor server method is not type validated, so that MongoDB query operator objects are accepted by the server, so that instead of a matching rid String a$regex query can be executed, bypassing the room access permission check for every but the first matching room.
network
low complexity
rocket-chat CWE-20
4.3
2022-09-23 CVE-2022-32227 Cleartext Transmission of Sensitive Information vulnerability in Rocket.Chat
A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth tokens by having the permission "view-full-other-user-info", this could cause an oauth token leak in the product.
network
low complexity
rocket-chat CWE-319
6.5
2022-09-23 CVE-2022-32228 Unspecified vulnerability in Rocket.Chat
An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 since the getReadReceipts Meteor server method does not properly filter user inputs that are passed to MongoDB queries, allowing $regex queries to enumerate arbitrary Message IDs.
network
low complexity
rocket-chat
4.3