An XSS issue exists in packages/rocketchat-mentions/Mentions.js in Rocket.Chat prior to 0.65. The real name of a username is displayed unescaped when the user is mentioned (using the @ symbol) in a channel or private chat. Consequently, it is possible to exfiltrate the secret token of every user and also admins in the channel.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
rocket.chat rocket.chat |