CVE-2023-28359

MEDIUM

Rocket.Chat < 6.0.0 - Unauthenticated NoSQL Injection via listEmojiCustom Method

Title source: llm
STIX 2.1

Description

A NoSQL injection vulnerability has been identified in the listEmojiCustom method call within Rocket.Chat. This can be exploited by unauthenticated users when there is at least one custom emoji uploaded to the Rocket.Chat instance. The vulnerability causes a delay in the server response, with the potential for limited impact.

References (1)

Core 1
Core References
Issue Tracking, Third Party Advisory
https://hackerone.com/reports/1757676

Scores

CVSS v3 5.3
EPSS 0.0061
EPSS Percentile 45.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
rocket.chat/rocket.chat < 6.0.0
Published May 11, 2023
Tracked Since Feb 18, 2026