CVE-2020-15926 Information

Description

Rocket.Chat through 3.4.2 allows XSS where an attacker can send a specially crafted message to a channel or in a direct message to the client which results in remote code execution on the client side.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://blog.redteam.pl/2020/08/rocket-chat-xss-rce-cve-2020-15926.html https://github.com/RocketChat/Rocket.Chat/commits/develop https://github.com/RocketChat/Rocket.Chat/pull/18356

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1