CVE-2022-35246

A NoSQL-Injection information disclosure vulnerability vulnerability exists in Rocket.Chat...

EUVD-2022-38141

Malicious code in bioql PyPI...

Information disclosure

A information disclosure vulnerability exists in Rocket.Chat v5 where the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room...

Information disclosure

A NoSQL-Injection information disclosure vulnerability vulnerability exists in Rocket.Chat v5, v4.8.2 and v4.7.5 in the getS3FileUrl Meteor server method that can disclose arbitrary file upload URLs to users that should not be able to access...

CVE-2022-35246

A NoSQL-Injection information disclosure vulnerability vulnerability exists in Rocket.Chat v5, v4.8.2 and v4.7.5 in the getS3FileUrl Meteor server method that can disclose arbitrary file upload URLs to users that should not be able to access...

Rocket.Chat: NoSQL-Injection discloses S3 File Upload URLs

Summary A NoSQL-Injection vulnerability in the getS3FileUrl Meteor server method can disclose arbitrary file upload URLs to users that should not be able to access. Description The fileId argument of the getS3FileUrl Meteor server method is not validated and can contain a regular expression. The...

Rocket.Chat: getUsersOfRoom discloses users in private channels

Summary Improper input data validation in the getUsersOfRoom Meteor server method allows authenticated users to enumerate existing rooms and subscribed users. Description Input data in the getUsersOfRoom Meteor server method is not type validated, so that MongoDB query operator objects are accept...