The researcher has informed us that our https://open.rocket.chat instance was not configured correctly with the "X-FRAME-OPTIONS" header, this feature exist in our product but our community instance was not properly configured.. After conducting a thorough investigation, we have acknowledged and accepted this report. However, we would like to clarify that we no longer accept vulnerability reports pertaining to our clients or community instances, such as https://open.rocket.chat or https://{customer}.rocket.chat.

Actions:

View on HackerOne

Reported by scriptsavvy

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

UI Redressing (Clickjacking)