CVE-2018-13878
Rocket.Chat (Mentions.js) up to version 0.65 is affected by an XSS in which the real name of a mentioned user is displayed unescaped in channels or private chats, enabling potential exfiltration of tokens for users and admins. The issue is tied to the packages/rocketchat-mentions/Mentions.js path...