CVE-2022-35251

2022-09-2319:15:14

CWE-79

[email protected]

web.nvd.nist.gov

cve-2022-35251

cross-site scripting

xss

rocket.chat

security vulnerability

style injection

adversary

persistent attack vector

nvd

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

25.0%

JSON

A cross-site scripting vulnerability exists in Rocket.chat <v5 due to style injection in the complete chat window, an adversary is able to manipulate not only the style of it, but will also be able to block functionality as well as hijacking the content of targeted users. Hence the payloads are stored in messages, it is a persistent attack vector, which will trigger as soon as the message gets viewed.

Affected configurations

NVD

Node

rocket.chatrocket.chatRange<5.0

CPENameOperatorVersion
rocket.chat:rocket.chatrocket.chatlt5.0

CPE	Name	Operator	Version
rocket.chat:rocket.chat	rocket.chat	lt	5.0

CNA Affected

[
  {
    "product": "Rocket.chat",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Fixed in 5.0>"
      }
    ]
  }
]