CVE-2022-44567

Name of the Vulnerable Software and Affected Versions Rocket.Chat-Desktop versions prior to 3.8.14

Description A command injection issue exists that could allow an attacker to pass a malicious URL to shell.openExternal(), potentially leading to remote code execution. This is because the openInternalVideoChatWindow function is exposed in the Rocket.Chat-Desktop-API, making it vulnerable to XSS attacks. The vulnerability can be exploited if the internal video chat window is disabled or if a Mac App Store build is used.

Recommendations For versions prior to 3.8.14, update to version 3.8.14 or later to resolve the issue. As a temporary workaround, consider disabling the openInternalVideoChatWindow function until a patch is available. Restrict access to the internalVideoChatWindow module to minimize the risk of exploitation.