Improper Authorization Vulnerability in Rocket.Chat Software
CVE-2023-28325

6.5MEDIUM

Key Information:

Vendor

Rocket.chat

Status
Rocket.chat
Vendor
CVE Published:
11 May 2023

What is CVE-2023-28325?

An improper authorization vulnerability in Rocket.Chat versions below 6.0 enables attackers to exploit the rid parameter. This flaw allows unauthorized users to manipulate messages in specific rooms by bypassing restrictions on the updateMessage method. The vulnerability undermines the expected authorization checks, potentially leading to unauthorized message editing and compromising user data integrity.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Rocket.Chat This issue has been fixed in version 6.0> and is backported for the supported versions. Check this document for more info: https://docs.rocket.chat/resources/get-support/enterprise-support#rocket.chat-versions

References

https://hackerone.com/reports/1406479

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.