CVE-2022-35251

Name of the Vulnerable Software and Affected Versions Rocket.chat versions prior to 5

Description A cross-site scripting issue exists due to style injection in the complete chat window. This allows an adversary to manipulate the style, block functionality, and hijack the content of targeted users. The payloads are stored in messages, making it a persistent attack vector that triggers when the message is viewed.

Recommendations For versions prior to 5, update to version 5 or later to resolve the issue. As a temporary workaround, consider restricting the use of styled messages in the chat window until a patch is available. Avoid viewing suspicious messages that may contain malicious payloads.