CVE-2024-46936

EUVD-2024-42149
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and before is vulnerable to a message forgery / impersonation issue. Attackers can abuse the UpdateOTRAck method to send ephemeral messages as if they were any other user they choose.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
rocketchatrocket.chat
6.12.0 ≤
𝑥
< 6.12.1
ADP
rocketchatrocket.chat
6.11.0 ≤
𝑥
≤ 6.11.2
ADP
rocketchatrocket.chat
6.10.0 ≤
𝑥
≤ 6.10.5
ADP
rocketchatrocket.chat
6.9.0 ≤
𝑥
≤ 6.9.6
ADP
rocketchatrocket.chat
6.8.0 ≤
𝑥
≤ 6.8.6
ADP
rocketchatrocket.chat
𝑥
≤ 6.7.8
ADP
References
https://docs.rocket.chat/docs/rocketchat-security-fixes-updates-and-advisories
https://github.com/RocketChat/Rocket.Chat/pull/33246