CVE-2024-45621

The Electron desktop application of Rocket.Chat through 6.3.4 allows stored XSS via links in an uploaded file, related to failure to use a separate browser upon encountering third-party external actions from PDF documents.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*

History

16 Sep 2024, 17:28

Type Values Removed Values Added
CWE CWE-79
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4
References () https://github.com/RocketChat/Rocket.Chat/releases/tag/6.3.4 - () https://github.com/RocketChat/Rocket.Chat/releases/tag/6.3.4 - Product
References () https://hackerone.com/reports/1967109 - () https://hackerone.com/reports/1967109 - Issue Tracking, Third Party Advisory
CPE cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*
First Time Rocket.chat
Rocket.chat rocket.chat

03 Sep 2024, 12:59

Type Values Removed Values Added
Summary
  • (es) La aplicación de escritorio Electron de Rocket.Chat hasta la versión 6.3.4 permite XSS almacenado a través de enlaces en un archivo cargado, relacionado con la imposibilidad de usar un navegador separado al encontrar acciones externas de terceros desde documentos PDF.

02 Sep 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-02 19:15

Updated : 2024-09-16 17:28


NVD link : CVE-2024-45621

Mitre link : CVE-2024-45621

CVE.ORG link : CVE-2024-45621


JSON object : View

Products Affected

rocket.chat

  • rocket.chat
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')