QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2022-44567

Back to search

CVE-2022-44567

Published: Dec 23, 2022

Modified: Apr 15, 2025

PUBLISHED

Description

A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal(), which may lead to remote code execution (internalVideoChatWindow.ts#L17). To exploit the vulnerability, the internal video chat window must be disabled or a Mac App Store build must be used (internalVideoChatWindow.ts#L14). The vulnerability may be exploited by an XSS attack because the function openInternalVideoChatWindow is exposed in the Rocket.Chat-Desktop-API.

VendorProductVersions

n/a

Rocket.chat - Electron Desktop

affected
fixed in => v3.8.14

Weaknesses (CWE)

CWE-78

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now