Erhan-

**Name of the Vulnerable Software and Affected Versions** Rocket.Chat versions prior to 0.65 **Description** A security issue was found in Rocket.Chat where the real name of a username is displayed unescaped when a user is mentioned in a channel or private chat. This allows for the exfiltration of the secret token of every user, including admins, in the channel. **Recommendations** For versions prior to 0.65, update to version 0.65 or later to resolve the issue. As a temporary workaround, consider restricting the use of the @ symbol for mentions until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Rocket.Chat versions prior to 0.66 **Description** A reflected XSS issue was found in the registration form. When creating an account, the username field does not save HTML control characters, but an error message displays the attempted username unescaped. This issue is related to the `username.js` file in `packages/rocketchat-ui-login/client/username/` and the `username.html` file in the same directory. **Recommendations** For versions prior to 0.66, update to version 0.66 or later to resolve the issue. As a temporary workaround, consider restricting access to the registration form to minimize the risk of exploitation.