Filtered by vendor Rocket.chat Subscriptions
Filtered by product Rocket.chat Subscriptions
Total 49 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-17220 1 Rocket.chat 1 Rocket.chat 2024-11-21 6.1 Medium
Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line.
CVE-2018-13879 1 Rocket.chat 1 Rocket.chat 2024-11-21 N/A
A reflected XSS issue was discovered in the registration form in Rocket.Chat before 0.66. When one creates an account, the next step will ask for a username. This field will not save HTML control characters but an error will be displayed that shows the attempted username unescaped via packages/rocketchat-ui-login/client/username/username.js in packages/rocketchat-ui-login/client/username/username.html.
CVE-2018-13878 1 Rocket.chat 1 Rocket.chat 2024-11-21 N/A
An XSS issue was discovered in packages/rocketchat-mentions/Mentions.js in Rocket.Chat before 0.65. The real name of a username is displayed unescaped when the user is mentioned (using the @ symbol) in a channel or private chat. Consequently, it is possible to exfiltrate the secret token of every user and also admins in the channel.
CVE-2017-1000493 1 Rocket.chat 1 Rocket.chat 2024-11-21 N/A
Rocket.Chat Server version 0.59 and prior is vulnerable to a NoSQL injection leading to administrator account takeover
CVE-2024-46934 1 Rocket.chat 1 Rocket.chat 2024-09-26 6.1 Medium
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to DOM-based Cross-site Scripting (XSS). Attackers may be able to abuse the UpdateOTRAck method to forge a message that contains an XSS payload.
CVE-2024-46935 1 Rocket.chat 1 Rocket.chat 2024-09-26 7.5 High
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to denial of service (DoS). Attackers who craft messages with specific characters may crash the workspace due to an issue in the message parser.
CVE-2024-47048 1 Rocket.chat 1 Rocket.chat 2024-09-26 5.4 Medium
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier allows stored XSS in the description and release notes of the marketplace and private apps.
CVE-2024-45621 1 Rocket.chat 1 Rocket.chat 2024-09-16 5.4 Medium
The Electron desktop application of Rocket.Chat through 6.3.4 allows stored XSS via links in an uploaded file, related to failure to use a separate browser upon encountering third-party external actions from PDF documents.
CVE-2024-39713 1 Rocket.chat 1 Rocket.chat 2024-09-06 8.6 High
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.