CRITICAL🇬🇧 English

CVE-2022-44567

CVSS 9.8v3.1pub. 2022-12-23upd. 2025-04-15

A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal(), which may lead to remote code execution (internalVideoChatWindow.ts#L17). To exploit the vulnerability, the internal video chat window must be disabled or a Mac App Store build must be used (internalVideoChatWindow.ts#L14). The vulnerability may be exploited by an XSS attack because the function openInternalVideoChatWindow is exposed in the Rocket.Chat-Desktop-API.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Rocket.chat

    APP
    Rocket.Chat
    < 3.8.14
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCEXSSCommand Injection
CWE
Referencje

Powiązane podatności

CVE-2026-48616CRITICAL9.3ten sam produkt

Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerab...

CVE-2026-29198CRITICAL9.8PL ✓ten sam produkt

Rocket.Chat — NoSQL injection umożliwiający przejęcie konta (SQLi)

CVE-2026-28514CRITICAL9.3PL ✓ten sam produkt

Rocket.Chat — pominięcie await powoduje auth bypass w ddp-streamer

CVE-2023-28316CRITICAL9.8ten sam produkt

A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where o...

CVE-2021-22910CRITICAL9.8ten sam produkt

A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed quer...

CVE-2022-44567 — CRITICAL 9.8 | CVEbaza.pl