269 matches found
Rocket.Chat 安全漏洞
Rocket.Chat is an open source team chat software. Chat suffers from an elevation of privilege vulnerability that stems from improper privilege management in the application, which can be exploited by any authenticated attacker to gain elevated privileges to view direct messages without proper...
Rocket.Chat 信息泄露漏洞
Rocket.Chat is an open source team chat software. A message disclosure vulnerability exists in Rocket.Chat versions prior to 5.0, which stems from the getUserMentionsByChannel meteor server method disclosing messages from private channels and direct messages, regardless of the user's access right...
PT-2022-21159 · Unknown · Rocket.Chat
Name of the Vulnerable Software and Affected Versions: Rocket.Chat versions prior to 5 Description: An information disclosure issue exists due to the getUserMentionsByChannel meteor server method, which discloses messages from private channels and direct messages regardless of the user's access...
PT-2022-22656 · Unknown · Rocket.Chat
Name of the Vulnerable Software and Affected Versions: Rocket.Chat versions prior to 5 Description: A information disclosure issue exists where the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the user's access permission...
CVE-2022-39840
Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a direct message DM...
PT-2022-25031 · Unknown · Cotonti Siena
Name of the Vulnerable Software and Affected Versions: Cotonti Siena version 0.9.20 Description: The issue allows admins to conduct stored XSS attacks via a direct message DM. Recommendations: For Cotonti Siena version 0.9.20, update to a version that fixes this issue, as using direct messages fo...
CVE-2022-31095 Exposure of Sensitive Information in discourse-chat
discourse-chat is a chat plugin for the Discourse application. Versions prior to 0.4 are vulnerable to an exposure of sensitive information, where an attacker who knows the message ID for a channel they do not have access to can view that message using the chat message lookup endpoint, primarily...
PT-2022-20523 · Discourse · Discourse-Chat
Name of the Vulnerable Software and Affected Versions: discourse-chat versions prior to 0.4 Description: The issue affects the discourse-chat plugin for the Discourse application, allowing an attacker who knows the message ID for a channel they do not have access to, to view that message using th...
Haraj v3.7 跨站脚本漏洞
A cross-site scripting vulnerability exists in Haraj v3.7, a buying and selling platform from Haraj Saudi Arabia. The vulnerability stems from a lack of data validation filtering of user-supplied data and output in some DM components. An attacker could exploit this vulnerability to execute...
Exploit for Cross-site Scripting in Angtech Haraj
CVE-2022-31300 Haraj Script 3.7 - DM Section Authenticated Sto...
Rocket.Chat: getUserMentionsByChannel leaks messages with mention from private channel
Summary The getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room. Description When calling the getUserMentionsByChannel method, the server does not check the users access to the given room...
X (Formerly Twitter): Bypass t.co link shortener in Twitter direct messages
The researcher demonstrated a way to create a link that will not be replaced with safe shortened t.co url, by sending Direct Messages containing more than 50 t.co links to another Twitter user. If the recipient views the message using Twitter’s Android app, and clicks the 51st link in the...
Twitter Fixes High-Severity Flaw Affecting Android Users
Twitter has fixed a vulnerability in its Android app, which could have enabled attackers to access private Twitter data, like direct messages DMs on Android devices. The flaw is related to an underlying Android operating system OS security issue CVE-2018-9492, which affects operating system...
Rocket.Chat: It is possible to elevate privileges for any authenticated user to view permissions matrix and view Direct messages without appropriate permissions.
Description: ===================== For the user with "View Private Room" permission only it is possible to rewrite permission role e.g. to admin in /api/v1/me method response via some proxy tools e.g. Charles and get access to servers permissions matrix and view Direct messages. Releases Affected...
PT-2020-14019 · Mattermost · Mattermost Server
Name of the Vulnerable Software and Affected Versions: Mattermost Server versions prior to 5.19.0 Description: An issue was discovered that allows attackers to rename a channel and cause a collision with a direct message. Recommendations: For versions prior to 5.19.0, update to version 5.19.0 or...
PT-2020-14008 · Mattermost · Mattermost Server
Name of the Vulnerable Software and Affected Versions: Mattermost Server versions prior to 5.23.0 Description: An issue allows attackers to cause a denial of service, specifically an infinite loop, by exploiting automatic direct message replies. Recommendations: For versions prior to 5.23.0, upda...
X (Formerly Twitter): iOS app crashed by specially crafted direct message reactions
Summary: iOS app crashed by specially crafted direct message reactions Description: Twitter does not properly sanitize direct message reactions, making it possible for arbitrary reaction text to be shown to the user via the message preview in the direct message list. Special characters such as \r...
Slack: DoS on the Direct Messages
In November 2019, @cyanpiny alerted us to a vulnerability that could have allowed an attacker to cause a denial of service for Slack users. We implemented a fix within weeks, and nothing further is required from users to be protected. Thank you to @cyanpiny for finding this!...
X (Formerly Twitter): Incorrect details on OAuth permissions screen allows DMs to be read without permission
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: The OAuth screen can be tricke...
Twitter API Flaw Exposed Users Messages to Wrong Developers For Over a Year
The security and privacy issues with APIs and third-party app developers are something that's not just Facebook is dealing with. A bug in Twitter's API inadvertently exposed some users' direct messages DMs and protected tweets to unauthorized third-party app developers who weren't supposed to get...