Lucene search

MitreCVE-2024-46934

HistorySep 25, 2024 - 1:15 a.m.

CVE-2024-46934

2024-09-2501:15:44

CWE-79

mitre

web.nvd.nist.gov

rocket.chat

dom-based cross-site scripting

xss

updateotrack

cve-2024-46934

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

5.8

Confidence

High

EPSS

0.001

Percentile

17.7%

JSON

Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to DOM-based Cross-site Scripting (XSS). Attackers may be able to abuse the UpdateOTRAck method to forge a message that contains an XSS payload.

Affected configurations

Nvd

Node

rocket.chatrocket.chatRange<6.7.9

rocket.chatrocket.chatRange6.8.0–6.8.7

rocket.chatrocket.chatRange6.9.0–6.9.7

rocket.chatrocket.chatRange6.10.0–6.10.6

rocket.chatrocket.chatRange6.11.0–6.11.3

rocket.chatrocket.chatMatch6.12.0-

rocket.chatrocket.chatMatch6.12.0rc1

rocket.chatrocket.chatMatch6.12.0rc2

rocket.chatrocket.chatMatch6.12.0rc3

rocket.chatrocket.chatMatch6.12.0rc4

rocket.chatrocket.chatMatch6.12.0rc5

rocket.chatrocket.chatMatch6.12.0rc6

VendorProductVersionCPE
rocket.chatrocket.chat*cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*
rocket.chatrocket.chat6.12.0cpe:2.3:a:rocket.chat:rocket.chat:6.12.0:-:*:*:*:*:*:*
rocket.chatrocket.chat6.12.0cpe:2.3:a:rocket.chat:rocket.chat:6.12.0:rc1:*:*:*:*:*:*
rocket.chatrocket.chat6.12.0cpe:2.3:a:rocket.chat:rocket.chat:6.12.0:rc2:*:*:*:*:*:*
rocket.chatrocket.chat6.12.0cpe:2.3:a:rocket.chat:rocket.chat:6.12.0:rc3:*:*:*:*:*:*
rocket.chatrocket.chat6.12.0cpe:2.3:a:rocket.chat:rocket.chat:6.12.0:rc4:*:*:*:*:*:*
rocket.chatrocket.chat6.12.0cpe:2.3:a:rocket.chat:rocket.chat:6.12.0:rc5:*:*:*:*:*:*
rocket.chatrocket.chat6.12.0cpe:2.3:a:rocket.chat:rocket.chat:6.12.0:rc6:*:*:*:*:*:*

Vendor	Product	Version	CPE
rocket.chat	rocket.chat	*	cpe:2.3:a:rocket.chat:rocket.chat::::::::
rocket.chat	rocket.chat	6.12.0	cpe:2.3:a:rocket.chat:rocket.chat:6.12.0:-::::::
rocket.chat	rocket.chat	6.12.0	cpe:2.3:a:rocket.chat:rocket.chat:6.12.0:rc1::::::
rocket.chat	rocket.chat	6.12.0	cpe:2.3:a:rocket.chat:rocket.chat:6.12.0:rc2::::::
rocket.chat	rocket.chat	6.12.0	cpe:2.3:a:rocket.chat:rocket.chat:6.12.0:rc3::::::
rocket.chat	rocket.chat	6.12.0	cpe:2.3:a:rocket.chat:rocket.chat:6.12.0:rc4::::::
rocket.chat	rocket.chat	6.12.0	cpe:2.3:a:rocket.chat:rocket.chat:6.12.0:rc5::::::
rocket.chat	rocket.chat	6.12.0	cpe:2.3:a:rocket.chat:rocket.chat:6.12.0:rc6::::::

References

docs.rocket.chat/docs/rocketchat-security-fixes-updates-and-advisories

github.com/RocketChat/Rocket.Chat/pull/33246

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

5.8

Confidence

High

EPSS

0.001

Percentile

17.7%

JSON

Related for CVE-2024-46934