Description
Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc_room_type=l with rc_rid+rc_token, but the authorization path does not verify that rc_rid matches the requested file's rid. Furthermore, :fileId is predictable via sequential MongoDB IDs, and :name can be anything, allowing unauthenticated discovery of all uploaded files.
CVSS breakdown
CVSS 3.0
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None
Affected products
- Rocket.Chat / Rocket.Chat0 – 8.5.1
- Rocket.Chat / Rocket.Chat0 – 8.4.4
- Rocket.Chat / Rocket.Chat0 – 8.3.6
- Rocket.Chat / Rocket.Chat0 – 8.2.6
- Rocket.Chat / Rocket.Chat0 – 8.1.6
- Rocket.Chat / Rocket.Chat0 – 8.0.7
- Rocket.Chat / Rocket.Chat0 – 7.13.9
- Rocket.Chat / Rocket.Chat0 – 7.10.13