819531 – (CVE-2020-8291) net-im/rocketchat-desktop-bin: link preview XSS (CVE-2020-8291)

Bug 819531 (CVE-2020-8291) - net-im/rocketchat-desktop-bin: link preview XSS (CVE-2020-8291)

Summary: net-im/rocketchat-desktop-bin: link preview XSS (CVE-2020-8291)

Status:	RESOLVED INVALID

Alias:	CVE-2020-8291

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://github.com/RocketChat/Rocket....
Whiteboard:	B4 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2021-10-22 21:43 UTC by John Helmert III
Modified:	2021-10-23 12:23 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-10-22 21:43:57 UTC

CVE-2020-8291:

A link preview rendering issue in Rocket.Chat versions before 3.9 could lead to potential XSS attacks.

Contrary to the CVE description, patch is in 3.10 onward. Please bump.

Comment 1 Nowa Ammerlaan gentoo-dev

2021-10-23 08:12:54 UTC

(In reply to John Helmert III from comment #0)
> CVE-2020-8291:
> 
> A link preview rendering issue in Rocket.Chat versions before 3.9 could lead
> to potential XSS attacks.
> 
> Contrary to the CVE description, patch is in 3.10 onward. Please bump.

I think this applies to the Rocket.Chat server: https://github.com/RocketChat/Rocket.Chat/releases (not packaged)

And not to the Rocket.Chat desktop client: https://github.com/RocketChat/Rocket.Chat.Electron (which doesn't have a version newer then 3.5.7)

Comment 2 John Helmert III archtester

2021-10-23 12:23:27 UTC

Ah, sorry! Invalid then