Markdown Parsing Flaw in Rocket.Chat's Search Messages Feature
CVE-2023-28358

6.1MEDIUM

Key Information:

Vendor: Rocket.chat
Status: Rocket.chat
Vendor: CVE Published:; 11 May 2023

🔔 Create Rocket.chat Vulnerability Alert

What is CVE-2023-28358?

A vulnerability in Rocket.Chat has been identified, involving a markdown parsing flaw in the 'Search Messages' feature. This loophole permits the insertion of malicious tags, particularly exploitable in environments where content security policies are not enforced. Adversaries can leverage this issue to potentially execute various attacks, including but not limited to account takeover, posing significant risks to users' accounts and the integrity of the application.

Affected Version(s)

Rocket.Chat This issue has been fixed in version 6.0> and is backported for the supported versions. Check this document for more info: https://docs.rocket.chat/resources/get-support/enterprise-support#rocket.chat-versions

References

https://hackerone.com/reports/1781131

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2023
Vulnerability Reserved
Mar 15, 2023