Sectex

**Name of the Vulnerable Software and Affected Versions** Rocket.Chat (affected versions not specified) **Description** A markdown parsing issue in the "Search Messages" feature of Rocket.Chat allows the insertion of malicious tags. This issue can be exploited on servers with content security policy disabled, potentially leading to attacks like account takeover. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Rocket.Chat-Desktop versions prior to 3.8.14 **Description** A command injection issue exists that could allow an attacker to pass a malicious URL to `shell.openExternal()`, potentially leading to remote code execution. This is because the `openInternalVideoChatWindow` function is exposed in the Rocket.Chat-Desktop-API, making it vulnerable to XSS attacks. The vulnerability can be exploited if the internal video chat window is disabled or if a Mac App Store build is used. **Recommendations** For versions prior to 3.8.14, update to version 3.8.14 or later to resolve the issue. As a temporary workaround, consider disabling the `openInternalVideoChatWindow` function until a patch is available. Restrict access to the `internalVideoChatWindow` module to minimize the risk of exploitation.