Unescaped Username Display Vulnerability in Rocket.Chat
CVE-2018-13878 · MEDIUM Severity
AV:N/AC:M/AU:N/C:N/I:P/A:N
An XSS issue was discovered in packages/rocketchat-mentions/Mentions.js in Rocket.Chat before 0.65. The real name of a username is displayed unescaped when the user is mentioned (using the @ symbol) in a channel or private chat. Consequently, it is possible to exfiltrate the secret token of every user and also admins in the channel.
Learn more about our User Device Pen Test.