Improper Authorization Vulnerability in Rocket.Chat Software
CVE-2023-28325

6.5MEDIUM

Key Information:

Vendor: Rocket.chat
Status: Rocket.chat
Vendor: CVE Published:; 11 May 2023

🔔 Create Rocket.chat Vulnerability Alert

What is CVE-2023-28325?

An improper authorization vulnerability in Rocket.Chat versions below 6.0 enables attackers to exploit the rid parameter. This flaw allows unauthorized users to manipulate messages in specific rooms by bypassing restrictions on the updateMessage method. The vulnerability undermines the expected authorization checks, potentially leading to unauthorized message editing and compromising user data integrity.

Affected Version(s)

Rocket.Chat This issue has been fixed in version 6.0> and is backported for the supported versions. Check this document for more info: https://docs.rocket.chat/resources/get-support/enterprise-support#rocket.chat-versions

References

https://hackerone.com/reports/1406479

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2023
Vulnerability Reserved
Mar 14, 2023