CVE-2023-28359
MEDIUMRocket.Chat < 6.0.0 - Unauthenticated NoSQL Injection via listEmojiCustom Method
Title source: llmDescription
A NoSQL injection vulnerability has been identified in the listEmojiCustom method call within Rocket.Chat. This can be exploited by unauthenticated users when there is at least one custom emoji uploaded to the Rocket.Chat instance. The vulnerability causes a delay in the server response, with the potential for limited impact.
References (1)
Core 1
Core References
Issue Tracking, Third Party Advisory
https://hackerone.com/reports/1757676
Scores
CVSS v3
5.3
EPSS
0.0061
EPSS Percentile
45.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (1)
rocket.chat/rocket.chat
< 6.0.0
Published
May 11, 2023
Tracked Since
Feb 18, 2026