Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Rocket.Chat - HackerOne Reports

View on HackerOne

82

Total Reports

16

Critical

22

High

32

Medium

9

Low

Maliciously crafted message can cause Rocket.Chat server to stop responding

Reported by: vv9k | Disclosed:

Medium

Weakness: Uncontrolled Resource Consumption

Mute User can disclose private channel members to unauthorized users

Reported by: gronke | Disclosed:

Medium

Weakness: Information Disclosure

Hi! Security Team Rocket.Chat, It's possible to get information about the users emails without authentication

Reported by: khekhe | Disclosed:

Low

Weakness: Information Disclosure

IDOR vulnerability leads to Deleting message after leaving/getting banned from group using message ID

Reported by: yash24 | Disclosed:

Low

Weakness: Insecure Direct Object Reference (IDOR)

getUserMentionsByChannel leaks messages with mention from private channel

Reported by: gronke | Disclosed:

High

Weakness: Information Disclosure

Pinning leaks message content

Reported by: gronke | Disclosed:

High

Weakness: Information Disclosure

Possible Domain Takeover on AWS Instance.

Reported by: samuelsiv | Disclosed:

Low

Weakness: Phishing

Blind XSS

Reported by: cyberasset | Disclosed:

Low

Weakness: Cross-site Scripting (XSS) - Generic

XSS (leads to arbitrary file read in Rocket.Chat-Desktop)

Reported by: sectex | Disclosed:

Low

Weakness: Cross-site Scripting (XSS) - Stored

Broken access control on apps

Reported by: theappsec | Disclosed:

Critical

Weakness: Improper Access Control - Generic

Session Hijack via Self-XSS

Reported by: jcardona | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - DOM

REST API gets `query` as parameter and executes it

Reported by: paulocsanz | Disclosed:

Medium

Weakness: Information Disclosure

Persistent CSS injection with ’marked’ markdown parser in Rocket.Chat

Reported by: danieljpp | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

XSS via /api/v1/chat.postMessage

Reported by: gronke | Disclosed:

Critical

Weakness: Cross-site Scripting (XSS) - Stored

Clickjacking in the admin page

Reported by: ant_pyne | Disclosed:

Low

Weakness: UI Redressing (Clickjacking)

SAML authentication bypass through unauthenticated `addSamlProvider` Meteor Call

Reported by: fabianfreyer | Disclosed:

Critical

Weakness: Improper Access Control - Generic

Server-side RCE through directory traversal-based arbitrary file write

Reported by: fabianfreyer | Disclosed:

Critical

Weakness: Path Traversal

API route chat.getThreadsList leaks private message content

Reported by: gronke | Disclosed:

High

Weakness: Information Disclosure

Blind XSS in the rocket.chat registration email

Reported by: edoverflow | Disclosed:

Weakness: Cross-site Scripting (XSS) - Stored

getUsersOfRoom discloses users in private channels

Reported by: gronke | Disclosed:

Medium

Previous Page 2 of 5 Next