This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: A Pre-Auth Blind NoSQL Injection in Rocket.Chat. π₯ **Consequences**: Attackers can hijack accounts via leaked password reset tokens.β¦
β‘ **Threshold**: **LOW**. No authentication or authorization is required to trigger the injection. It is a **Pre-Auth** vulnerability, making it extremely easy to exploit for any internet-facing instance.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π£ **Public Exploits**: **YES**. Multiple PoCs are available on GitHub (e.g., by CsEnox, optionalCTF, ChrisPritchard). Automated scripts exist for account takeover and RCE. π₯ **Exploit-DB**: ID 49960.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: 1. Check Rocket.Chat version (3.11-3.13). 2. Scan for the `getPasswordPolicy` endpoint. 3. Test if the password reset token parameter accepts JSON injection payloads (like `$regex`). 4.β¦
π₯ **Urgency**: **CRITICAL**. Since it allows **Unauthenticated RCE**, it is a high-priority target for attackers. Immediate patching or mitigation is required to prevent full server compromise. πββοΈπ¨