A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal(), which may lead to remote code execution (internalVideoChatWindow.ts#L17). To exploit the vulnerability, the internal video chat window must be disabled or a Mac App Store build must be used (internalVideoChatWindow.ts#L14). The vulnerability may be exploited by an XSS attack because the function openInternalVideoChatWindow is exposed in the Rocket.Chat-Desktop-API.
Published 2022-12-23 15:15:16
Updated 2023-01-04 18:09:37
Source HackerOne
View at NVD,   CVE.org
Vulnerability category: Cross site scripting (XSS)Execute code

Exploit prediction scoring system (EPSS) score for CVE-2022-44567

0.34%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-44567

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
9.8
CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
3.9
5.9
NIST

CWE ids for CVE-2022-44567

References for CVE-2022-44567

Products affected by CVE-2022-44567

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!