First published: Fri Sep 23 2022(Updated: )
A information disclosure vulnerability exists in Rocket.Chat <v5 where the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.
Credit: support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
Rocket.Chat Livechat | <5.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-35249 is classified as an information disclosure vulnerability that can expose sensitive messages.
To fix CVE-2022-35249, update Rocket.Chat to version 5.0 or later, where this vulnerability has been addressed.
CVE-2022-35249 affects Rocket.Chat versions earlier than 5.0.
CVE-2022-35249 discloses messages from private channels and direct messages, regardless of user permissions.
Users of Rocket.Chat versions before 5.0 are potentially impacted by the information disclosure due to CVE-2022-35249.