CVE-2019-18641

Rock RMS prior to 1.8.6 contains a vulnerability in the People/GetVCard/REST controller where vCard access is mishandled, potentially allowing unauthorized access to vCard data. The issue is tied to the access control logic for vCard retrieval and is documented across multiple sources as CVE-2019...

CVE-2019-18643

Rock RMS is affected by CVE-2019-18643 in versions before 8.10 and 9.0–9.3 where uploaded files are validated only via a blacklist of extensions. Attackers can bypass this by adding multiple spaces and periods after the filename, enabling upload of ASPX code and potential remote code execution, w...

CVE-2019-18642

CVE-2019-18642 affects Rock RMS prior to version 8.6. The issue is an account takeover via tampering with the user ID parameter in the profile update flow, due to lack of validation and use of sequential user IDs. This allows a user to modify another account’s details (including email) with poten...