Rocket.Chat


13 total issues disclosed

$0 total paid publicly


Most disclosed (4 disclosures) — Code Injection

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Blind XSS Cross-site Scripting (XSS) - Generic cyberasset Low 2021-12-07
Post-Auth Blind NoSQL Injection in the users.list API leads to Remote Code Execution None supplied sonarsource High 2021-07-31
Remote Code Execution in Rocket.Chat-Desktop None supplied sectex Critical 2020-11-07
Desktop app RCE (#276031 bypass) Code Injection ivarsvids High 2020-11-05
[Security Vulnerability Rocket.chat] HTML Injection into Email via Signup Code Injection steven_julian22 Medium 2020-06-24
SAML authentication bypass Improper Authentication - Generic tomp1 High 2020-06-18
account takeover on 3.0.1 version Insecure Direct Object Reference (IDOR) elfiman Critical 2020-06-14
API Keys Hardcoded in Github repository Use of Hard-coded Credentials codermak Medium 2020-04-01
Blind SQL injection in third-party software, that allows to reveal user statistic from rocket.chat and possibly hack into the rocketchat.agilecrm.com SQL Injection w2w No rating 2019-10-17
XSS (stored) Wizard is saving executable code Cross-site Scripting (XSS) - Stored 24nitin Medium 2018-09-27
Blind XSS in the rocket.chat registration email Cross-site Scripting (XSS) - Stored edoverflow No rating 2018-09-26
Remote Code Execution in Rocket.Chat Desktop Code Injection mattaustin High 2018-09-19
Remote code execution by hijacking an unclaimed S3 bucket in Rocket.Chat's installation script. Code Injection edoverflow Medium 2018-08-28