NoSQL Injection Vulnerability in Rocket.Chat by Rocket.Chat Team
CVE-2023-28359

5.3MEDIUM

Key Information:

Vendor: Rocket.chat
Status: Rocket.chat
Vendor: CVE Published:; 11 May 2023

🔔 Create Rocket.chat Vulnerability Alert

What is CVE-2023-28359?

A NoSQL injection vulnerability has been found in the listEmojiCustom method call of Rocket.Chat, which can be exploited by unauthenticated users when at least one custom emoji exists in the system. This vulnerability may lead to delays in server response times, impacting user experience, although the overall implications are limited. Proper validation and sanitation of input parameters are essential to mitigate this risk.

Affected Version(s)

Rocket.Chat This issue has been fixed in version 6.0> and is backported for the supported versions. Check this document for more info: https://docs.rocket.chat/resources/get-support/enterprise-support#rocket.chat-versions

References

https://hackerone.com/reports/1757676

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2023
Vulnerability Reserved
Mar 15, 2023