Reports in rocket program: S.No Title Bounty 1 Remote code execution by hijacking an unclaimed S3 bucket in Rocket.Chat's installation script. $0.0 2 Remote Code Execution in Rocket.Chat Desktop $0.0 3 Blind XSS in the rocket.chat registration email $0.0 4 XSS (stored) Wizard is saving executable code $0.0 5 Broken access control on apps $0.0 6 Slack Token exposed over internet (Github) $0.0 7 Blind SQL injection in third-party software, that allows to reveal user statistic from rocket.chat and possibly hack into the rocketchat.agilecrm.com $0.0 8 Open redirect open.rocket.chat/file-upload/ID/filename.svg $0.0 9 Clickjacking in the admin page $0.0 10 XSS (leads to arbitrary file read in Rocket.Chat-Desktop) $0.0 11 API Keys Hardcoded in Github repository $0.0 12 account takeover on 3.0.1 version $0.0 13 SAML authentication bypass $0.0 14 [Security Vulnerability Rocket.chat] HTML Injection into Email via Signup $0.0 15 Desktop app RCE (#276031 bypass) $0.0 16 Remote Code Execution in Rocket.Chat-Desktop $0.0 17 XSS leads to RCE on the RocketChat desktop client. $0.0 18 SAML authentication bypass through unauthenticated addSamlProvider Meteor Call $0.0 19 Session Hijack via Self-XSS $0.0 20 XSS in message attachment fileds. $0.0 21 Android App Crashes while sending message to users/ on channel $0.0 22 Stored XSS in any message (leads to priv esc for all users and file leak + rce via electron app) $0.0 23 Account takeover via XSS $0.0 24 Hi! Security Team Rocket.Chat, It's possible to get information about the users emails without authentication $0.0 25 Pre-Auth Blind NoSQL Injection leading to Remote Code Execution $0.0 26 Post-Auth Stored XSS with User Interaction leads to Remote Code Execution $0.0 27 Post-Auth Blind NoSQL Injection in the users.list API leads to Remote Code Execution $0.0 28 Custom crafted message object in Meteor.Call allows remote code execution and impersonation $0.0 29 Blind XSS $0.0 30 Arbitrary file read in Rocket.Chat-Desktop $0.0 31 Possible Domain Takeover on AWS Instance. $0.0 32 Insecure use of shell.openExternal() in Rocket.Chat Desktop App leading to RCE $0.0 33 Regex account takeover $0.0 34 Persistent CSS injection with ’marked’ markdown parser in Rocket.Chat $0.0 35 It is possible to elevate privileges for any authenticated user to view permissions matrix and view Direct messages without appropriate permissions. $0.0 36 getUserMentionsByChannel leaks messages with mention from private channel $0.0 37 Bypass local authentication (PIN code) $0.0 38 Unintended information disclosure in the Hubot Log files $0.0 39 REST API gets query as parameter and executes it $0.0 40 Message ID Enumeration with Action Link Handler $0.0 41 TOTP 2 Factor Authentication Bypass $0.0 42 getRoomRoles Method leaks Channel Owner $0.0 43 NoSQL-Injection discloses S3 File Upload URLs $0.0 44 API route chat.getThreadsList leaks private message content $0.0 45 Message ID Enumeration with Regular Expression in getReadReceipts Meteor method $0.0 46 Rocket.chat user info security issue $0.0 47 getUsersOfRoom discloses users in private channels $0.0 48 Insecure use of shell.openExternal() leads to RCE in Rocket.Chat-Desktop $0.0 49 Low authorization level at server side API operation e2e.updateGroupKey, let an attacker break the E2E architecture. $0.0 50 Rocket.Chat Server RCE $0.0 51 Improper Access Control - Generic $0.0 52 Messages can be hidden regardless of server configuration $0.0 53 Retrospective change of message timestamp and order $0.0 54 Moving private messages into vision with updateMessage method $0.0 55 Maliciously crafted message can cause Rocket.Chat server to stop responding $0.0 56 Mute User can disclose private channel members to unauthorized users $0.0 57 Cross-Site-Scripting in "Search Messages" $0.0 58 NoSQL injection in listEmojiCustom method call $0.0 59 Clickjacking at open.rocket.chat $0.0 60 Reflected Cross-Site Scripting(CVE-2022-32770 ) $0.0 61 Server-side RCE through directory traversal-based arbitrary file write $0.0 62 Rocket.Chat Desktop client fails to open browser on 3rd party external actions from PDF documents $0.0 63 NoSQL injection leaks visitor token and livechat messages $0.0 64 Unauthenticated full-read SSRF via Twilio integration $0.0 65 Bypassing 2FA with conventional session management - open.rocket.chat $0.0 66 Pinning leaks message content $0.0 67 XSS in various MessageTypes $0.0 68 Content-Security Policy bypass with File Uploads $0.0 69 Impersonation in Sequential Messages $0.0 70 Authentication Bypass in login-token Authentication Method $0.0 71 User Impersonation through sendMessage options $0.0 72 Improper ACL in Message Starring $0.0 73 Unauthenticated clients can modify Livechat Business Hours $0.0 74 Registration bypass with leaked Invite Token $0.0 75 Unread Messages can leak Message IDs $0.0 76 CSS Injection in Message Avatar $0.0 77 Online Status of arbitrary users can be changed $0.0 78 Upload of Avatars for other Users $0.0 79 Guest Privilege Escalation to admin group $0.0 80 XSS via /api/v1/chat.postMessage $0.0 81 The initial E2EE password generated by Rocket.Chat mobile can be recovered in a practical timescale. $0.0 82 IDOR vulnerability leads to Deleting message after leaving/getting banned from group using message ID $0.0