CVE-2023-28325

Name of the Vulnerable Software and Affected Versions Rocket.Chat versions prior to 6.0

Description An improper authorization issue exists that could allow a hacker to manipulate the rid parameter and change the updateMessage method, which only checks whether the user is allowed to edit a message in the target room.

Recommendations For versions prior to 6.0, update to version 6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the updateMessage method to minimize the risk of exploitation. Avoid using the rid parameter in sensitive operations until the issue is resolved.