CVE-2023-23917
HIGHRocket.Chat < 5.2.0 - Prototype Pollution leading to Remote Code Execution
Title source: llmDescription
A prototype pollution vulnerability exists in Rocket.Chat server <5.2.0 that could allow an attacker to a RCE under the admin account. Any user can create their own server in your cloud and become an admin so this vulnerability could affect the cloud infrastructure. This attack vector also may increase the impact of XSS to RCE which is dangerous for self-hosted users as well.
References (1)
Core 1
Core References
Permissions Required
https://hackerone.com/reports/1631258
Scores
CVSS v3
8.8
EPSS
0.0098
EPSS Percentile
57.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-1321
CWE-77
Status
published
Products (1)
rocket.chat/rocket.chat
< 5.2.0
Published
Feb 23, 2023
Tracked Since
Feb 18, 2026