Unescaped Username Display Vulnerability in Rocket.Chat

Unescaped Username Display Vulnerability in Rocket.Chat

CVE-2018-13878 · MEDIUM Severity

AV:N/AC:M/AU:N/C:N/I:P/A:N

An XSS issue was discovered in packages/rocketchat-mentions/Mentions.js in Rocket.Chat before 0.65. The real name of a username is displayed unescaped when the user is mentioned (using the @ symbol) in a channel or private chat. Consequently, it is possible to exfiltrate the secret token of every user and also admins in the channel.

Learn more about our User Device Pen Test.