XSS vulnerability – hotfix available for all affected versions

SHARE

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
hotfix

Learn more about the newest hotfix provided by Rocket.Chat's Security Team

Dear Rocket.Chat users,

We are providing an important security hotfix for Rocket.Chat server outside of the regular release cycle. This fix fixes a critical vulnerability that allowed Cross-Site-Scripting (XSS) in the message renderer.

We recommend you upgrade your instance as soon as possible, because the vulnerability has already become known and the creation of exploit kits by attackers is very likely. 

Available versions: 3.9.3 / 3.8.4 / 3.7.4 / 2.4.14 / 1.3.5 

CVE-2020-8288

The hotfix will only affect the message renderer. By exploiting the vulnerability, a user on the Rocket.Chat server may be able to elevate his privileges and/or modify messages, e.g. to remove traces of the exploit.

Please check our GitHub repository here (link) for your latest version. Or receive a notification whenever a new version – including hotfixes such as this one – is available by registering your server here (link).

Subscribe to our monthly newsletter and never miss out on important updates:

STAY UP TO DATE

All News, One Place

Releases, Webinars, Use cases and More
Subscribe Newsletter Envelope

    NEWSLETTER








    [utm_campaign_i]

    [/utm_campaign_i]
    [utm_source_i]

    [/utm_source_i]
    [utm_medium_i]

    [/utm_medium_i]
    [utm_content_i]

    [/utm_content_i]

    Wondering if Rocket.Chat is the right fit for your team?

    Topics

    Markus Kirsch

    Markus Kirsch

    SHARE

    Share on facebook
    Share on twitter
    Share on linkedin
    Share on whatsapp