{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2023-28359","assignerOrgId":"36234546-b8fa-4601-9d6f-f4e334aa8ea1","assignerShortName":"hackerone","dateUpdated":"2025-01-27T16:52:17.296Z","dateReserved":"2023-03-15T00:00:00.000Z","datePublished":"2023-05-11T00:00:00.000Z"},"containers":{"cna":{"providerMetadata":{"orgId":"36234546-b8fa-4601-9d6f-f4e334aa8ea1","shortName":"hackerone","dateUpdated":"2023-05-11T00:00:00.000Z"},"descriptions":[{"lang":"en","value":"A NoSQL injection vulnerability has been identified in the listEmojiCustom method call within Rocket.Chat. This can be exploited by unauthenticated users when there is at least one custom emoji uploaded to the Rocket.Chat instance. The vulnerability causes a delay in the server response, with the potential for limited impact."}],"affected":[{"vendor":"n/a","product":"Rocket.Chat","versions":[{"version":"This issue has been fixed in version 6.0> and is backported for the supported versions. Check this document for more info: https://docs.rocket.chat/resources/get-support/enterprise-support#rocket.chat-versions","status":"affected"}]}],"references":[{"url":"https://hackerone.com/reports/1757676"}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"SQL Injection (CWE-89)","cweId":"CWE-89"}]}]},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T12:38:24.988Z"},"title":"CVE Program Container","references":[{"url":"https://hackerone.com/reports/1757676","tags":["x_transferred"]}]},{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-89","lang":"en","description":"CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.3,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"LOW","privilegesRequired":"NONE","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-01-27T16:51:28.735917Z","id":"CVE-2023-28359","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-01-27T16:52:17.296Z"}}]}}