Description
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It looks like there's no use case for the token to be present in the response and it would be a good security practice to remove it altogether. This vulnerability is fixed in 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low
Affected products
- RocketChat / Rocket.Chat>= 8.5.0-rc.0, < 8.5.0 – >= 8.5.0-rc.0, < 8.5.0
- RocketChat / Rocket.Chat>= 8.4.0-rc.0, < 8.4.2 – >= 8.4.0-rc.0, < 8.4.2
- RocketChat / Rocket.Chat>= 8.3.0-rc.0, < 8.3.4 – >= 8.3.0-rc.0, < 8.3.4
- RocketChat / Rocket.Chat>= 8.2.0-rc.0, < 8.2.4 – >= 8.2.0-rc.0, < 8.2.4
- RocketChat / Rocket.Chat>= 8.1.0-rc.0, < 8.1.5 – >= 8.1.0-rc.0, < 8.1.5
- RocketChat / Rocket.Chat>= 8.0.0-rc.0, < 8.0.6 – >= 8.0.0-rc.0, < 8.0.6
- RocketChat / Rocket.Chat>= 7.11.0-rc.0, < 7.13.8 – >= 7.11.0-rc.0, < 7.13.8
- RocketChat / Rocket.Chat< 7.10.12 – < 7.10.12