Security fixes and updates
This page includes regular updates about recently patched security issues in Rocket.Chat.
Do you want to report a security issue yourself? Please have a look at our Responsible Disclosure Policy. We appreciate your reports.
New issues are listed below, at first without details to give administrators and users sufficient time to upgrade. Details to the issue are added in with the next version release, e.g.: fixes introduced in version x.1 will be added when version x.2 is available.
Providing fixes for legacy versions of Rocket.Chat becomes increasingly difficult due to the code differences, which is why we focus on providing fixes for the most recent versions only. Please see our support policy, which outlines our supported versions.
Please make sure to follow new version updates by subscribing to our newsletters or activating the announcement feature for new releases directly in the Rocket.Chat server administration settings. We recommend updating to the newest version as soon as possible to always have the newest security fixes.
Issues
0034 - Medium Severity issue fixed at 2021-07-13.
Rocket.Chat Server - affects all, fixed on 3.14.6, 3.15.4, 3.16.3
Details about this security fix will be provided later as per our responsible disclosure policy. (reference: 3t33pd)
0033 - Medium Severity issue fixed at 2021-07-13.
Rocket.Chat Server - affects all, fixed on 3.14.6, 3.15.4, 3.16.3
Details about this security fix will be provided later as per our responsible disclosure policy. (reference: 5nc7fh)
0032 - Medium Severity issue fixed at 2021-07-13.
Rocket.Chat Server - affects all, fixed on 3.14.6, 3.15.4, 3.16.3
Details about this security fix will be provided later as per our responsible disclosure policy. (reference: 2x348d)
0031 - High Severity issue fixed at 2021-05-28.
Rocket.Chat Server - affects all, fixed on 3.12.7, 3.13.5, 3.14.4
(XSS) An issue with the HTML sanitizer could be exploited, leading to potential Cross-Site-Scripting. (reference: 4bak1j)
0030 - Medium Severity issue fixed at 2021-05-24.
Rocket.Chat Server - affects all, fixed on 3.12.6, 3.13.4, 3.14.2
(SSRF) A method could be called without authentication, leading to potential Server-side Request Forgery. (reference: 317v72)
0029 - High Severity issue fixed at 2021-05-24.
Rocket.Chat Server - affects all, fixed on 3.12.6, 3.13.4, 3.14.2
(XSS) An improperly used front-end library together with a validation bypass in a function could be exploited, leading to potential Cross-Site-Scripting . (reference: 79y67r)
0028 - High Severity issue fixed at 2021-05-24.
Rocket.Chat Server - affects all, fixed on 3.12.6, 3.13.4, 3.14.2
(RCE) An API endpoint was vulnerable to NoSQL-injection attacks, leading to potential Remote Code Execution. (reference: 3v29b6)
0027 - Medium Severity issue fixed at 2021-05-24.
Rocket.Chat Server - affects all, fixed on 3.12.6, 3.13.4, 3.14.2
(IDOR) An IDOR vulnerability could be used to export data of other users. (reference: 6tr8jg)
0026 - Critical Severity issue fixed at 2021-04-14.
Rocket.Chat Server - affects all, fixed on 3.13.2, 3.12.4, 3.11.4
(NoSQL injection) An unauthenticated method could be exploited for a potential NoSQL injection, resulting in potential account takeover. (reference: 3v299a)
0025 - Critical Severity issue fixed at 2021-04-14.
Rocket.Chat Server - affects all, fixed on 3.13.2, 3.12.4, 3.11.4
(NoSQL injection) An authenticated endpoint could be exploited for a potential NoSQL injection, resulting in potential account takeover. (reference: 3v29b6)
0024 - Critical Severity issue fixed at 2021-04-14.
Rocket.Chat Live.Chat - affects all, fixed on 3.13.2, 3.12.4, 3.11.4
(XSS) An improper input sanitization in the livechat widget could be exploited for an XSS attack. Variation of 0023. (reference: 3h5cty)
0023 - High Severity issue fixed at 2021-03-26.
Rocket.Chat Live.Chat - affects all, fixed on 3.13, 3.12.2, 3.11.3
(XSS) An improper input sanitization in the livechat widget could be exploited for an XSS attack. (reference: 3h5cty)
022 - Low Severity issue fixed at 2021-03-26
Rocket.Chat Server - affects all, fixed on 3.13, 3.12.2, 3.11.3
(Self-XSS) An issue with SVG files not being sanitized allowed for potential self XSS. (reference: 98bfae)
0021 - Low Severity issue fixed at 2021-03-26.
Rocket.Chat Server - affects all, fixed on 3.13, 3.12.2, 3.11.3
(Email enumeration) An issue with an API method allowed for potential email enumeration. (reference: 6tr8gn)
0020 - Medium Severity issue fixed at 2021-03-26.
Rocket.Chat Server - affects all, fixed on 3.13, 3.12.2, 3.11.3
(ReDOS) An issue with certain regular expressions could lead potentially to Denial of Service. (reference: 2q6wxz)
0019 - Medium Severity issue fixed at 2021-02-27.
Rocket.Chat Server - affects all, fixed on 3.12, 3.11.2, 3.10.6
(Authentication) An authentication issue allowed adding users to rooms without proper authorization. (reference: 330zt5)
0018 - Critical Severity issue fixed at 2021-02-27.
Rocket.Chat Server - affects all, fixed on 3.12, 3.11.2, 3.10.6
(SAML) A race condition in the SAML implementation could be exploited by an attacker. An issue with the token syntax could be exploited. (reference: 397ymy)
0017 - Low Severity issue fixed at 2021-02-27.
Rocket.Chat Server - affects all, fixed on 3.12, 3.11.2, 3.10.6
(Self-XSS) A sanitization issue could be exploited for a Self-XSS exploit.
0016 - Medium Severity issue fixed at 2021-01-26.
Rocket.Chat Server / LiveChat - affects all, fixed on 3.11, 3.10.5, 3.9.7, 3.8.8.
(Authentication) An issue with the Live Chat could potentially allow a user without the proper permission to modify a setting.
0015 - Critical Severity issue fixed at 2021-01-26.
Rocket.Chat Server / LiveChat - affects all, fixed on 3.11, 3.10.5, 3.9.7, 3.8.8.
(Authentication) An issue with the Live Chat accepting invalid parameters could potentially allow unauthenticated access to messages and user tokens.
0014 - High Severity issue fixed at 2021-01-26.
Rocket.Chat Server - affects all, fixed on 3.11, 3.10.5, 3.9.7, 3.8.8.
(XSS) An issue with the message parser could potentially lead to XSS.
0013 - Medium Severity issue fixed at 2021-01-26.
Rocket.Chat Server - affects all, fixed on 3.11, 3.10.5, 3.9.7, 3.8.8.
(XSS) An issue with the rendering of the user profile could potentially lead to XSS.
0012 - Low Severity issue fixed at 2021-01-26.
Rocket.Chat Server - affects all, fixed on 3.11, 3.10.5, 3.9.7, 3.8.8.
(System Information Disclosure) A method was removed, that could be called by unauthenticated users to potentially gather information about the target host.
0011 - Low Severity issue fixed at 2021-01-26.
Rocket.Chat Server - affects all, fixed on 3.11, 3.10.5, 3.9.7, 3.8.8.
(User enumeration) A method could be called by unauthenticated users, potentially leading to user enumeration.
0010 - High Severity issue fixed at 2021-01-26.
Rocket.Chat Server - affects all, fixed on 3.11, 3.10.5, 3.9.7, 3.8.8.
(Authentication) An issue with invite-tokens could allow unauthenticated users to guess a valid invite token.
0009 - Medium Severity issue fixed at 2021-01-26
Rocket.Chat Server - affects all, fixed on 3.11, 3.10.5, 3.9.7, 3.8.8.
(Information Disclosure) An issue with a real time method could lead to leakage of message IDs.
0008 - High Severity issue fixed at 2021-01-26
Rocket.Chat Server - affects all, fixed on 3.11, 3.10.5, 3.9.7, 3.8.8.
(Information Disclosure) An issue with the return of a real time method could lead to unauthorized leaks of message content.
0007 - Medium Severity issue fixed at 2020-11-28 Rocket.Chat Server - affects all, fixed on 3.9. (Self-XSS) An issue with the drag and drop functionality was fixed that - under certain circumstances - could be used as part of possible self-xss attack.
Thanks a lot to Jorge Cardona for reporting this.
CVE-ID: CVE-2020-8292
0006 - Critical Severity issue fixed at 2020-12-18 Rocket.Chat Server - affects 1.x, 2.x, 3.x, fixed on 3.9.3 / 3.8.4 / 3.7.4 / 2.4.14 / 1.3.5 (XSS) A vulnerability in the message renderer was fixed that allowed for possible XSS attacks. More details here.
CVE-ID: CVE-2020-8288
0005 - Critical Severity issue fixed at 2020-12-05 Rocket.Chat Server - affects 0.x, 1.x, 2.x, 3.x, fixed on 3.9.1 / 3.8.3 / 3.7.3 / 2.4.13 / 1.3.4 / 0.74.4 (Authentication bypass) A SAML vulnerability was fixed that allowed adding custom SAML providers. More details here.
CVE-ID: CVE-2020-29594
0004 - High Severity issue fixed at 2020-10-01 Rocket.Chat Desktop Client - affects 2.x, fixed on 3.0 (RCE) Fixed via context isolation an issue where link preload could be used to execute code.
0003 - High Severity issue fixed at 2020-08-29 Rocket.Chat Server - affects 3.4.x, fixed on 3.6 (RCE) Fixed an issue where discussion messages could be used to insert and execute code.
0002 - Low Severity issue fixed at 2020-08-29 Rocket.Chat Server - affects 3.x, fixed on 3.6 Added a missing X-Frame Options Header in the admin
0001 - High Severity issue fixed at 2020-07-25 Rocket.Chat Server - affects 3.4.x, fixed on 3.5 and 3.4.2 (RCE) Fixed an issue where thread starting messages could be used to insert and execute code. Thanks to Pawel Wylecial of REDTEAM.PL
Last modified 3mo ago
Export as PDF
Copy link