Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 819531 (CVE-2020-8291)

Summary: net-im/rocketchat-desktop-bin: link preview XSS (CVE-2020-8291)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: minor CC: andrewammerlaan
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/RocketChat/Rocket.Chat/pull/19854
Whiteboard: B4 [ebuild]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-22 21:43:57 UTC 
CVE-2020-8291:

A link preview rendering issue in Rocket.Chat versions before 3.9 could lead to potential XSS attacks.

Contrary to the CVE description, patch is in 3.10 onward. Please bump.
Comment 1 Andrew Nowa Ammerlaan gentoo-dev 2021-10-23 08:12:54 UTC 
(In reply to John Helmert III from comment #0)
> CVE-2020-8291:
> 
> A link preview rendering issue in Rocket.Chat versions before 3.9 could lead
> to potential XSS attacks.
> 
> Contrary to the CVE description, patch is in 3.10 onward. Please bump.

I think this applies to the Rocket.Chat server: https://github.com/RocketChat/Rocket.Chat/releases (not packaged)

And not to the Rocket.Chat desktop client: https://github.com/RocketChat/Rocket.Chat.Electron (which doesn't have a version newer then 3.5.7)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-23 12:23:27 UTC 
Ah, sorry! Invalid then