CVE-2020-28208

MEDIUM NUCLEI

Rocket.chat < 3.9.1 - Information Disclosure

Title source: rule

Description

An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1.

Nuclei Templates (1)

Rocket.Chat <3.9.1 - Information Disclosure

MEDIUMby pdteam

Shodan: http.title:"rocket.chat"

FOFA: title="rocket.chat"

References (8)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/160845/Rocket.Chat-3.7.1-Email-Address-Enumeration.html

[Broken Link, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2021/Jan/32

[Broken Link, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2021/Jan/43

[Exploit, Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2021/01/07/1

[Exploit, Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2021/01/08/1

[Exploit, Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2021/01/13/1

[Exploit, Third Party Advisory] https://trovent.github.io/security-advisories/TRSA-2010-01/TRSA-2010-01.txt

[Exploit, Third Party Advisory] https://trovent.io/security-advisory-2010-01

Scores

CVSS v3 5.3

EPSS 0.3568

EPSS Percentile 97.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-203

Status published

Products (1)

rocket.chat/rocket.chat < 3.9.1

Published Jan 08, 2021

Tracked Since Feb 18, 2026