906108 – (CVE-2023-28317, CVE-2023-28318) net-im/rocketchat-desktop-bin: multiple vulnerabilities

Bug 906108 (CVE-2023-28317, CVE-2023-28318) - net-im/rocketchat-desktop-bin: multiple vulnerabilities

Summary: net-im/rocketchat-desktop-bin: multiple vulnerabilities

Status:	CONFIRMED

Alias:	CVE-2023-28317, CVE-2023-28318

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:
Whiteboard:	~4 [??]
Keywords:

Depends on:
Blocks:

Reported:	2023-05-11 04:24 UTC by John Helmert III
Modified:	2023-05-11 04:24 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-05-11 04:24:31 UTC

CVE-2023-28318 (https://hackerone.com/reports/1379451):

A vulnerability has been discovered in Rocket.Chat, where messages can be hidden regardless of the Message_KeepHistory or Message_ShowDeletedStatus server configuration. This allows users to bypass the intended message deletion behavior, hiding messages and deletion notices.

CVE-2023-28317 (https://hackerone.com/reports/1379635):

A vulnerability has been discovered in Rocket.Chat, where editing messages can change the original timestamp, causing the UI to display messages in an incorrect order.

These are ostensibly fixed, but it doesn't seem that Hackerone is advertising this information.