CVE-2018-13879

Name of the Vulnerable Software and Affected Versions Rocket.Chat versions prior to 0.66

Description A reflected XSS issue was found in the registration form. When creating an account, the username field does not save HTML control characters, but an error message displays the attempted username unescaped. This issue is related to the username.js file in packages/rocketchat-ui-login/client/username/ and the username.html file in the same directory.

Recommendations For versions prior to 0.66, update to version 0.66 or later to resolve the issue. As a temporary workaround, consider restricting access to the registration form to minimize the risk of exploitation.