CVE-2022-44567

CVE-2022-44567

Vendor N/A

Product Rocket.chat - Electron Desktop

Weakness CWE-78

Published December 23, 2022

Last update April 15, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal(), which may lead to remote code execution (internalVideoChatWindow.ts#L17). To exploit the vulnerability, the internal video chat window must be disabled or a Mac App Store build must be used (internalVideoChatWindow.ts#L14). The vulnerability may be exploited by an XSS attack because the function openInternalVideoChatWindow is exposed in the Rocket.Chat-Desktop-API.

Key dates

02Disclosure timeline

December 23, 2022 CVE published

April 15, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-44567 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

01Description

02Disclosure timeline

03References

04Related CVE