Improper Authorization Vulnerability in Rocket.Chat <6.0: Manipulation of rid Parameter Allows Unauthorized Message Editing

Improper Authorization Vulnerability in Rocket.Chat <6.0: Manipulation of rid Parameter Allows Unauthorized Message Editing

CVE-2023-28325 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

An improper authorization vulnerability exists in Rocket.Chat <6.0 that could allow a hacker to manipulate the rid parameter and change the updateMessage method that only checks whether the user is allowed to edit message in the target room.

Learn more about our User Device Pen Test.