CVE-2020-28208 Scanner
Detects 'User Enumeration' vulnerability in Rocket.Chat affects v. through 3.9.1..
Short Info
Level
Medium
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
15 seconds
Time Interval
29 days
Scan only one
Domain, IPv4, Subdomain
Toolbox
-
Rocket.Chat is a popular open-source platform that allows users to communicate in real-time through chat, voice, video, and file sharing. It is widely used by businesses, organizations, and communities for various purposes, such as team collaboration, customer communication, and online education. With its customizable features, Rocket.Chat provides users with a flexible and secure communication platform that can be tailored to fit their specific needs.
However, a critical vulnerability has been identified in the password reset function of Rocket.Chat version 3.9.1 and earlier. The vulnerability, identified as CVE-2020-28208, allows an attacker to enumerate email addresses by exploiting a flaw in the password reset functionality. This means that an attacker can obtain a list of all the registered email addresses on the platform, which can be used for further attacks such as phishing and social engineering.
Exploiting this vulnerability can be particularly dangerous for businesses and organizations that use Rocket.Chat for sensitive communications, such as confidential client information or financial data. An attacker could leverage the email address list to launch targeted attacks against these organizations, potentially leading to data breaches and financial losses. In addition, a successful attack could damage the reputation and trust of the affected organization among its clients and partners.
Thanks to the pro features of the s4e.io platform, users can easily and quickly identify vulnerabilities in their digital assets and take proactive measures to secure them. The platform offers a comprehensive vulnerability assessment that covers web applications, mobile apps, APIs, and cloud infrastructure. With its user-friendly interface and actionable insights, s4e.io empowers users to secure their digital assets against a range of threats, including the CVE-2020-28208 vulnerability in Rocket.Chat.
REFERENCES
- http://packetstormsecurity.com/files/160845/Rocket.Chat-3.7.1-Email-Address-Enumeration.html
- http://seclists.org/fulldisclosure/2021/Jan/32
- http://seclists.org/fulldisclosure/2021/Jan/43
- http://www.openwall.com/lists/oss-security/2021/01/07/1
- http://www.openwall.com/lists/oss-security/2021/01/08/1
- http://www.openwall.com/lists/oss-security/2021/01/13/1
- https://trovent.github.io/security-advisories/TRSA-2010-01/TRSA-2010-01.txt
- https://trovent.io/security-advisory-2010-01
