Rocket.Chat server prior to 3.9.0 is vulnerable to a self cross-site scripting (XSS) vulnerability via the drag & drop functionality in message boxes.
rocket.chat rocket.chat