CVE-2023-28316

2023-05-0900:00:00

CWE-384

hackerone

www.cve.org

cve-2023-28316

rocket.chat

2fa

security vulnerability

compromised account

9.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.6%

JSON

A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where other active sessions are not invalidated upon activating 2FA. This could potentially allow an attacker to maintain access to a compromised account even after 2FA is enabled.

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "Rocket.Chat",
    "versions": [
      {
        "version": "Fixed in  6.0> and back-ported accordingly to our supported versions. Check https://docs.rocket.chat/resources/get-support/enterprise-support#rocket.chat-versions for more info",
        "status": "affected"
      }
    ]
  }
]

References

hackerone.com/reports/992280