Description
A stored cross-site scripting (XSS) vulnerability was discovered in Rocket.Chat versions 6.12.0 and earlier. This vulnerability allows an attacker to inject malicious JavaScript code into the description and release notes of marketplace and private apps. Once a user views these fields, the code is executed in the user's browser, potentially leading to unauthorized actions or data theft.
Severity
- CVSS v3.1 Base Score: 5.4 (Medium)
- Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Impact
- Confidentiality: Low
- Integrity: Low
- Availability: None
Affected Versions
- Rocket.Chat versions up to and including: 6.12.0 6.11.2 6.10.5 6.9.6 6.8.6 6.7.8
Steps to Reproduce
- Login to Rocket.Chat as a user with permission to add descriptions or release notes for marketplace or private apps.
- Navigate to the Marketplace section and open the form to submit or edit the description/release notes.
In the description or release notes field, input the following payload:
<script>alert('XSS');</script>
Save the changes and have another user (or yourself) view the edited description/release notes.
- When the page loads, the JavaScript alert should trigger, confirming the stored XSS vulnerability.
Solution
- Update Rocket.Chat to the latest version to address this issue. More details and the patch information can be found here.