CVE-2022-35246 - AskarLabs CVE Database

CVE-2022-35246

Vendor N/A

Product Rocket.Chat

Weakness CWE-200 · Info exposure

Published September 23, 2022

Last update May 22, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

A NoSQL-Injection information disclosure vulnerability vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 in the getS3FileUrl Meteor server method that can disclose arbitrary file upload URLs to users that should not be able to access.

Key dates

02Disclosure timeline

September 23, 2022 CVE published

May 22, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-35246

Related vulnerabilities

04Related CVE

CVE-2024-8756 Quform - WordPress Form Builder <= 2.20.0 - Unauthenticated Sensitive Information Exposure CVE-2025-12681 Comment Edit Core – Simple Comment Editing <= 3.1.0 - Unauthenticated Sensitive Information Exposure CVE-2024-11291 Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.13.4 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure CVE-2023-21449 CVE-2025-32958 Adept exposed the GITHUB_TOKEN in workflow run artifact