PT-2022-21159 · Unknown · Rocket.Chat
Gronke
·
Published
2022-09-23
·
Updated
2023-07-21
·
CVE-2022-32220
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Rocket.Chat versions prior to 5
Description
An information disclosure issue exists due to the
getUserMentionsByChannel meteor server method, which discloses messages from private channels and direct messages regardless of the user's access permission to the room.Recommendations
For versions prior to 5, consider disabling the
getUserMentionsByChannel method until a patch is available to prevent information disclosure.Exploit
Fix
Missing Authorization
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Rocket.Chat