Writeup Exploits
62,925 exploits tracked across all sources.
Rocket.Chat <8.2.0 - NoSQL Injection
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, a NoSQL injection vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows unauthenticated attackers to manipulate MongoDB queries during authentication. The vulnerability is located in the username-based login flow where user-supplied input is directly embedded into a MongoDB query selector without validation. An attacker can inject MongoDB operator expressions (e.g., { $regex: '.*' }) in place of a username string, causing the database query to match unintended user records. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
CVSS 5.3
Rocket.Chat < 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, 8.2.0 - Authentication Bypass
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP Streamer does not enforce Two-Factor Authentication (2FA) or validate user account status (deactivated users can still login), despite these checks being mandatory in the standard Meteor login flow. This issue has been patched in versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0.
CVSS 9.8
Rocket.Chat < 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, 8.0.0 - Authentication Bypass
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows an attacker to log in to the service as any user with a password set, using any arbitrary password. The vulnerability stems from a missing await keyword when calling an asynchronous password validation function, causing a Promise object (which is always truthy) to be evaluated instead of the actual boolean validation result. This may lead to account takeover of any user whose username is known or guessable. This issue has been patched in versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0.
CVSS 9.8
Rocket.Chat < 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, 8.0.0 - Authentication Bypass
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0, a critical authentication bypass vulnerability exists in Rocket.Chat's account service used in the ddp-streamer micro service that allows an attacker to log in to the service as any user with a password set, using any arbitrary password. The vulnerability stems from a missing await keyword when calling an asynchronous password validation function, causing a Promise object (which is always truthy) to be evaluated instead of the actual boolean validation result. This may lead to account takeover of any user whose username is known or guessable. This issue has been patched in versions 7.8.6, 7.9.8, 7.10.7, 7.11.4, 7.12.4, 7.13.3, and 8.0.0.
CVSS 9.8
Rocket.Chat <6.12.0 - Info Disclosure
Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long as the user knows its ID, including potentially sensitive fields such as client_id and client_secret. This vulnerability is fixed in 6.12.0.
CVSS 7.7
RocketChat <7.6.1 - Info Disclosure
A vulnerability, which was classified as problematic, has been found in RocketChat up to 7.6.1. This issue affects the function parseMessage of the file /apps/meteor/app/irc/server/servers/RFC2813/parseMessage.js. The manipulation of the argument line leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS 4.3
Rocket.Chat < 6.7.9 - Stored Cross-Site Scripting in Marketplace App Description and Release Notes
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier allows stored XSS in the description and release notes of the marketplace and private apps.
CVSS 5.4
Rocket.Chat <6.12.0 - Info Disclosure
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and before is vulnerable to a message forgery / impersonation issue. Attackers can abuse the UpdateOTRAck method to send ephemeral messages as if they were any other user they choose.
CVSS 7.5
Rocket.Chat < 6.7.9 - Denial of Service via Message Parser
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to denial of service (DoS). Attackers who craft messages with specific characters may crash the workspace due to an issue in the message parser.
CVSS 7.5
Rocket.Chat < 6.7.9 - DOM-based Cross-Site Scripting via UpdateOTRAck Method
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to DOM-based Cross-site Scripting (XSS). Attackers may be able to abuse the UpdateOTRAck method to forge a message that contains an XSS payload.
CVSS 6.1
Rocket.Chat < 6.3.4 - Stored Cross-Site Scripting via Links in Uploaded Files
The Electron desktop application of Rocket.Chat through 6.3.4 allows stored XSS via links in an uploaded file, related to failure to use a separate browser upon encountering third-party external actions from PDF documents.
CVSS 5.4
Rocket.Chat < 3.11.3 - Denial of Service via Regular Expression
Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. In Rocket.Chat before versions 3.11.3, 3.12.2, and 3.13 an issue with certain regular expressions could lead potentially to Denial of Service. This was fixed in versions 3.11.3, 3.12.2, and 3.13.
CVSS 4.3
Rocket.Chat < 3.8.8, < 3.9.7, < 3.10.5, < 3.11 - Stored Cross-Site Scripting via Nested Markdown Tags
Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting (XSS) using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app.
CVSS 6.1
Rocket.Chat < 3.9.0 - Cross-Site Scripting via Link Preview Rendering
A link preview rendering issue in Rocket.Chat versions before 3.9 could lead to potential XSS attacks.
CVSS 6.1
Rocket.Chat <0.74.4, 1.x<1.3.4, 2.x<2.4.13, 3.x<3.7.3, 3.8.x<3.8.3,...
Rocket.Chat before 0.74.4, 1.x before 1.3.4, 2.x before 2.4.13, 3.x before 3.7.3, 3.8.x before 3.8.3, and 3.9.x before 3.9.1 mishandles SAML login.
CVSS 9.8
Rocket.Chat <0.74.4, 1.x<1.3.4, 2.x<2.4.13, 3.x<3.7.3, 3.8.x<3.8.3,...
Rocket.Chat before 0.74.4, 1.x before 1.3.4, 2.x before 2.4.13, 3.x before 3.7.3, 3.8.x before 3.8.3, and 3.9.x before 3.9.1 mishandles SAML login.
CVSS 9.8
Rocket.Chat desktop app <2.17.11 - Open Redirect
The Rocket.Chat desktop application 2.17.11 opens external links without user interaction.
CVSS 7.5
Rocket.Chat < 3.4.2 - Stored Cross-Site Scripting and Remote Code Execution via Crafted Message
Rocket.Chat through 3.4.2 allows XSS where an attacker can send a specially crafted message to a channel or in a direct message to the client which results in remote code execution on the client side.
CVSS 6.1
Rocket.Chat < 2.1.0 - Cross-Site Scripting via Markdown Image URL
Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line.
CVSS 6.1
Rocket.Chat < 2.1.0 - Cross-Site Scripting via Markdown Image URL
Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line.
CVSS 6.1
Rocket.Chat < 0.66 - Reflected Cross-Site Scripting in Registration Username Field
A reflected XSS issue was discovered in the registration form in Rocket.Chat before 0.66. When one creates an account, the next step will ask for a username. This field will not save HTML control characters but an error will be displayed that shows the attempted username unescaped via packages/rocketchat-ui-login/client/username/username.js in packages/rocketchat-ui-login/client/username/username.html.
CVSS 5.4
Rocket.Chat < 0.65 - Stored Cross-Site Scripting via User Mention Real Name
An XSS issue was discovered in packages/rocketchat-mentions/Mentions.js in Rocket.Chat before 0.65. The real name of a username is displayed unescaped when the user is mentioned (using the @ symbol) in a channel or private chat. Consequently, it is possible to exfiltrate the secret token of every user and also admins in the channel.
CVSS 6.1
Rocket.Chat Server <0.59 - Info Disclosure
Rocket.Chat Server version 0.59 and prior is vulnerable to a NoSQL injection leading to administrator account takeover
CVSS 9.8
Cacti <= 1.2.7 - Authenticated Unsafe Deserialization in lib/functions.php
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP module.
CVSS 8.1
nipper-ng 0.11.10 - Remote Code Execution or Denial of Service via Crafted Firewall Configuration File
A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.
CVSS 7.8
By Source