Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Rocket.Chat - HackerOne Reports

View on HackerOne

82

Total Reports

16

Critical

22

High

32

Medium

9

Low

User Impersonation through sendMessage options

Reported by: gronke | Disclosed:

Medium

Weakness: UI Redressing (Clickjacking)

CSS Injection in Message Avatar

Reported by: gronke | Disclosed:

Medium

Weakness: Code Injection

Rocket.Chat Desktop client fails to open browser on 3rd party external actions from PDF documents

Reported by: itssixtynein | Disclosed:

Low

Weakness: Cleartext Transmission of Sensitive Information

Unintended information disclosure in the Hubot Log files

Reported by: rolfzur | Disclosed:

Medium

Weakness: Cleartext Storage of Sensitive Information

Blind SQL injection in third-party software, that allows to reveal user statistic from rocket.chat and possibly hack into the rocketchat.agilecrm.com

Reported by: w2w | Disclosed:

Weakness: SQL Injection

Remote code execution by hijacking an unclaimed S3 bucket in Rocket.Chat's installation script.

Reported by: edoverflow | Disclosed:

Medium

Weakness: Code Injection

Post-Auth Stored XSS with User Interaction leads to Remote Code Execution

Reported by: sonarsource | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

[Security Vulnerability Rocket.chat] HTML Injection into Email via Signup

Reported by: steven_julian22 | Disclosed:

Medium

Weakness: Code Injection

Rocket.chat user info security issue

Reported by: mikolajczak | Disclosed:

Medium

Weakness: Cleartext Transmission of Sensitive Information

Slack Token exposed over internet (Github)

Reported by: sanjogpanda | Disclosed:

Weakness: Cleartext Storage of Sensitive Information

Server-side RCE through directory traversal-based arbitrary file write

Reported by: fabianfreyer | Disclosed:

Critical

Weakness: Path Traversal

API route chat.getThreadsList leaks private message content

Reported by: gronke | Disclosed:

High

Weakness: Information Disclosure

Post-Auth Blind NoSQL Injection in the users.list API leads to Remote Code Execution

Reported by: sonarsource | Disclosed:

High

Rocket.Chat Server RCE

Reported by: yuske | Disclosed:

Critical

Weakness: Command Injection - Generic

SAML authentication bypass

Reported by: tomp1 | Disclosed:

High

Weakness: Improper Authentication - Generic

Message ID Enumeration with Regular Expression in getReadReceipts Meteor method

Reported by: gronke | Disclosed:

Medium

Weakness: Information Disclosure

The initial E2EE password generated by Rocket.Chat mobile can be recovered in a practical timescale.

Reported by: h0011 | Disclosed:

High

Weakness: Use of Insufficiently Random Values

Authentication Bypass in login-token Authentication Method

Reported by: gronke | Disclosed:

Critical

Weakness: Improper Authentication - Generic

getRoomRoles Method leaks Channel Owner

Reported by: gronke | Disclosed:

Medium

Weakness: Information Disclosure

Regex account takeover

Reported by: ghaem51 | Disclosed:

Critical

Weakness: SQL Injection

Previous Page 4 of 5 Next