Chat Software Vulnerabilities

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Vendor

Identifying all affected vendors is a good starting point for an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Product

livehelperchat30
Rocket.Chat23
PHPOpenChat10
Khaled Mardam-Bey mIRC9
chatwoot8

Grouping vulnerabilities by products helps to get an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Remediation

Official Fix184
Temporary Fix0
Workaround5
Unavailable53
Not Defined213

Vendors and researchers are eager to find countermeasures to mitigate security vulnerabilities. These can be distinguished between multiple forms and levels of remediation which influence risks differently.

Exploitability

High35
Functional1
Proof-of-Concept135
Unproven7
Not Defined277

Researcher and attacker which are looking for security vulnerabilities try to exploit them for academic purposes or personal gain. The level and quality of exploitability can be distinguished to determine simplicity and strength of attacks.

Access Vector

Not Defined0
Physical1
Local17
Adjacent32
Network405

The approach a vulnerability it becomes important to use the expected access vector. This is typically via the network, local, or physically even.

Authentication

Not Defined0
High13
Low98
None344

To exploit a vulnerability a certail level of authentication might be required. Vulnerabilities without such a requirement are much more popular.

User Interaction

Not Defined0
Required137
None318

Some attack scenarios require some user interaction by a victim. This is typical for phishing, social engineering and cross site scripting attacks.

C3BM Index

Our unique C3BM Index (CVSSv3 Base Meta Index) cumulates the CVSSv3 Meta Base Scores of all entries over time. Comparing this index to the amount of disclosed vulnerabilities helps to pinpoint the most important events.

CVSSv3 Base

≤10
≤20
≤30
≤433
≤577
≤6116
≤771
≤8126
≤920
≤1012

The Common Vulnerability Scoring System (CVSS) is an industry standard to define the characteristics and impacts of security vulnerabilities. The base score represents the intrinsic aspects that are constant over time and across user environments. Our unique meta score merges all available scores from different sources to aggregate to the most reliable result.

CVSSv3 Temp

≤10
≤20
≤31
≤439
≤5108
≤6106
≤7121
≤855
≤915
≤1010

The Common Vulnerability Scoring System (CVSS) uses temp scores to reflect the characteristics of a vulnerability that may change over time but not across user environments. This includes reporting confidence, exploitability and remediation levels. We do also provide our unique meta score for temp scores, even though other sources rarely publish them.

VulDB

≤10
≤20
≤39
≤458
≤593
≤687
≤757
≤8136
≤93
≤1012

The moderation team is always defining the base vector and base score for an entry. These and all other available scores are used to generate the meta score.

NVD

≤10
≤20
≤30
≤40
≤51
≤610
≤743
≤818
≤97
≤1021

The National Vulnerability Database (NVD) is also defining CVSS vectors and scores. These are usually not complete and might differ from VulDB scores.

CNA

≤10
≤20
≤30
≤42
≤56
≤69
≤715
≤811
≤97
≤101

A CVE Numbering Authority (CNA) is responsible for assigning new CVE entries. They might also include a CVSS score. These are usually not complete and might differ from VulDB scores.

Vendor

≤10
≤20
≤30
≤40
≤50
≤60
≤70
≤80
≤90
≤100

Some vendors are willing to publish their own CVSS vectors and scores for vulnerabilities in their products. The coverage varies from vendor to vendor.

Research

≤10
≤20
≤30
≤40
≤50
≤60
≤70
≤80
≤90
≤100

There are sometimes also security researcher which provide their own CVSS vectors and scores for vulnerabilities they have found and published.

Exploit 0-day

<1k114
<2k135
<5k188
<10k6
<25k6
<50k5
<100k1
≥100k0

The moderation team is working with the threat intelligence team to determine prices for exploits. Our unique algorithm is used to identify the 0-day prices for an exploit, before it got distributed or became public. Calculated prices are aligned to prices disclosed by vulnerability broker and compared to prices we see on exploit markets.

Exploit Today

<1k433
<2k13
<5k4
<10k1
<25k4
<50k0
<100k0
≥100k0

The 0-day prices do not consider time-relevant factors. The today price does reflect price impacts like disclosure of vulnerability details, alternative exploits, availability of countermeasures. These dynamic aspects might decrease the exploit prices over time. Under certain circumstances this happens very fast.

Exploit Market Volume

Our unique calculation of exploit prices makes it possible to forecast the expected exploit market volume. The calculated prices for all possible 0-day expoits are cumulated for this task. Comparing the volume to the amount of disclosed vulnerabilities helps to pinpoint the most important events.

🔴 CTI Activities

Our unique Cyber Threat Intelligence aims to determine the ongoing research of actors to anticipiate their acitivities. Observing exploit markets on the Darknet, discussions of vulnerabilities on mailinglists, and exchanges on social media makes it possible to identify planned attacks. Monitored actors and activities are classified whether they are offensive or defensive. They are also weighted as some actors are well-known for certain products and technologies. And some of their disclosures might contain more or less details about technical aspects and personal context. The world map highlights active actors in real-time.

Affected Products (258): 12planet Chat Server, 123flashchat eChat plugin, 123 Flash Chat Module, A51dev Activecollab Chat Module, Acobot Live Chat , Acobot Contact Form, ActiveHelper ActiveHelper LiveHelp Live Chat, Adrenalin Labs Adrenalins Asp Chat, Adventia Chat, Adventia Server, Andys Chat, Anna^ IRC Bot, App Rocket.Chat, Appindex MWChat, Apple iChat, Apple Ichat, Apple Ichat Av, Apple iChat Server, Apple Ichat Server, ARSC Really Simple Chat, Atheme IRC Services, Atlassian Hipchat Server, Banckle Chat, Bigfun IRC Client, Bird Internet Chat Server, BitchX IRC Client, BlueSky BlueSkychat, Browser IRC Client, Candy Chat, Cgiirc CGI:IRC, Cgiscript.net csChat-R-Box, CGI:IRC, ChatBot Application with a Suggestion Feature, ChatBot App with Suggestion, ChatBox Chat Rooms, Chatness, Chatopera Cosin, Chatspot, Chattaitaliano Istant-Replay, chattanoogastate eLearn, ChatterBox, Chatty, chatwm, chatwoot, ChatWork Desktop App, chat anywhere, Chat Anywhere, Chat Anywhere Extension, Chat Room Module, Cisco Email, Cisco Email Center, Cisco Enterprise Chat, Cisco Enterprise Chat and Email, clickdesk Clickdesk Live Support-live Chat Plugin, Codologic Com Freichat, Convos-Chat, Cool Cafe Chat, Crisp Live Chat Plugin, CSS-TRICKS Chat2, Daniel Toma WebChat, Darrens 5-dollar Script Archive flashChat, Darrens 5-dollar Script Archive FlashChat, Denora IRC Stats, Develooping Flash Chat, Digi-net Digichat, Discourse-Chat, discourse-chat, Douchat, DSChat, EFS Easy Chat Server, Efs Software Easy Chat Server, eGain Chat, Eggheads Eggdrop IRC Bot, Enghouse Web Chat, Epic IRC Client, Familycms Family Connections Who is Chatting, Faust Informatics Freestyle Chat, Fijiwebdesign Com Ajaxchat, Fish Encryption IRC, Flashtux WeeChat, Flat Chat, FlexChat, Frankly Chat, FreeChat, Free Live Chat Support Plugin, Free Web Chat, FreiChat, Fujitsu Chocoa IRC Client, Genesys PureConnect Interaction Web Tools Chat Service, Gist Chatbot, GTChat, Gyach Enhanced Chat Room, HexChat, Hipchat Desktop Client, Hipchat Server, Hipchat Plugin, iLove Ilove - Free Dating! Chat App, IRC-Worm.Win32.Jane.a, IRC-Worm.Win32.Silentium.a, IRC Plugin, IRC Server, IRC Services, IRC Services NickServ LISTLINKS, Jackdapp Jack'd - Gay Chat! Dating, James Seter BNC IRC, JAUMO Chat, JAUMO Flirt! Dating Heart Jaumo, JivoChat Live Chat Plugin, Jollybox.de TCP Chat, Joompolitan Com Livechat, Khaled Mardam-Bey mIRC, Khaled Mardam-Bey Mirc, kvirc IRC Client, KVIrc IRC Client, LANChat Pro Revival, LeafDigital LeafChat, Let's PHP! Frame High-Speed Chat, Let's PHP! Simple Chat, Lionmax Software Chat Anywhere, Live.me - Live Stream Video Chat, livehelperchat, LiveZilla Live Chat, Live Chat - Live Support, Live Helper Chat, Mata MataChat, matrix-appservice-irc, Mazens PHP Chat, Mazens PHP Chat, MCQs, MedQuiz: Medical Chat, Melange Chat Server, Melange Chat System, Micro Focus Service Manager, Micro Focus Service Manager Chat Server, Micro Focus Service Manager Chat Service, Ming Han AJchat, Minichat, mIRC, mirc, mIRC Advanced Integration Plugin, mIRC Plug-in for Winamp, MM Chat, Mohachat MOHA Chat, MPM Chat, MWChat Pro, NatterChat, Natterchat, Netchat Subnet Chat Application, Ninjadesigns Flatchat, Onelouder FriendCaster Chat, On Page SEO and Whatsapp Chat Button Plugin, oretnom23 ChatBot App with Suggestion, Parachat Server, Payperviewvideosoftware Pay Per Minute Video Chat Script, PCPIN PCPIN Chat, Philippe CROCHAT EasySite, phpFreeChat, phpHeaven phpMyChat, Phpheaven PhpMyChat, phpHeaven PHPMyChat, Phpheaven phpMyChat, Phpheaven PHPMyChat, Phpheaven PhpMyChat Plus, phpMyChat, phpMyChat-Plus, PhpMyChat Plus, PhpOnlineChat, PHPOpenChat, PHP Based Web Chat Manager, Pirch IRC Client, Proton Energymech Irc Bot, Pro Chat Rooms, Pro Chat Rooms Text Chat Rooms, Quassel-irc Quassel, Quassel-irc Quassel Irc, Quassel-irc Quassel IRC, Quassel IRC, Quick Chat Plugin, ramank775 Chat Server, RealChat, Reallysimplechat Really Simple Chat, Rhapsody IRC, Rocket.Chat, Rocket.chat, Rocket.Chat Desktop Application, Rocket.Chat Mobile App, Rocket.Chat Server, Rocket.Chat Server, RocketChat LiveChat, ScatterChat, Scott Weedon Ajax Chat, Script* Log-Chat, Shawn Webb Webbsyte Chat, Siemens TIM 1531 IRC, Simm-comm SCI Photo Chat, Simple Keitai Chat, SimpleChat, Simple Ajax Chat, Simple Ajax Chat Plugin, Simple Chatting System, Skout BoyAhoy - Gay Chat, Skout Flurv Chat, Skout Skout: Chats. Friends. Fun., SleeperChat, Smart IRC Daemon, Sourcecodester Simple Chatbot Application, Spytech Spynet Chat, Stephen Craton Chatness, Successkid Harris Wap Chat, Synology Chat, sz.chat, SZ NetChat, T0pp8uzz Dana IRC client, Tawk.To Live Chat Plugin, TechyTalk Quick Chat Plugin, Tencent WeChat, Tencent WeChat Desktop, TIM 1531 IRC, TJSChat, Topcmm Computing 123 Flash Chat Server, Tufat FlashChat, Unichat, V3chat V3 Chat Live Support, V3chat V3 Chat Profiles Dating Script, V3 Chat, VChat, Vibease Chat App, Vibease Wireless Remote Vibrator App, VideoWhisper PHP 2 Way Video Chat, Vincent Tietz vjchat, Visual IRC, Voodoo chat, Wchat Fully Responsive PHP AJAX Chat Script, Webchat.org WebChat, Webchat, WeChat App, WeeChat, WF-Chat, wIRCSrv IRC Server, WircSrv IRC Server, Wise Chat Plugin, wp-live-chat-support Plugin, WP Live Chat Support, WP Social Chat Plugin, X-Chat, X7chat X7 Chat, X7 Chat, X7 Group X7 Chat, XChat, xchat, Xchat, XChat-GNOME, yChat, yuriyouzhou KG-fashion-chatbot, Zeacom Chat Server, Zehnet Zz Flashchat, Zipstore Zip Store Chat, Zoom Chat

PublishedBaseTempVulnerabilityProductExpRemCTICVE
09/24/20224.34.1Rocket.Chat Mobile App PIN improper authenticationMobile AppNot DefinedOfficial Fix0.05CVE-2022-30124
09/24/20223.53.4Rocket.Chat Style cross site scriptingRocket.ChatNot DefinedOfficial Fix0.00CVE-2022-35251
09/24/20225.55.3Rocket.chat Direct Message access controlRocket.chatNot DefinedOfficial Fix0.05CVE-2022-35250
09/24/20225.55.3Rocket.Chat Two Factor Authentication improper authenticationRocket.ChatNot DefinedOfficial Fix0.00CVE-2022-35248
09/24/20223.73.6Rocket.Chat cleartext transmissionRocket.ChatNot DefinedOfficial Fix0.04CVE-2022-32227
09/24/20223.53.4Rocket.Chat OAuth Token cleartext storageRocket.ChatNot DefinedOfficial Fix0.00CVE-2022-32217
09/24/20226.36.0Rocket.Chat 2FA Secret sql injectionRocket.ChatNot DefinedOfficial Fix0.06CVE-2022-32211
09/24/20223.53.4Rocket.Chat Direct Message getUserMentionsByChannel information disclosureRocket.ChatNot DefinedOfficial Fix0.04CVE-2022-35249
09/24/20223.53.4Rocket.Chat ACL Check getRoomRoles information disclosureRocket.ChatNot DefinedOfficial Fix0.00CVE-2022-35247
09/24/20223.53.4Rocket.Chat Meteor Server getS3FileUrl injectionRocket.ChatNot DefinedOfficial Fix0.05CVE-2022-35246
09/24/20223.53.4Rocket.Chat MongoDB chat.getThreadsList information disclosureRocket.ChatNot DefinedOfficial Fix0.05CVE-2022-32229
09/24/20223.53.4Rocket.Chat Message ID information disclosureRocket.ChatNot DefinedOfficial Fix0.04CVE-2022-32228
09/24/20225.55.3Rocket.Chat Meteor Server getUsersOfRoom access controlRocket.ChatNot DefinedOfficial Fix0.00CVE-2022-32226
09/24/20223.53.4Rocket.Chat Message getUserMentionsByChannel information disclosureRocket.ChatNot DefinedOfficial Fix0.04CVE-2022-32220
09/24/20223.53.4Rocket.Chat REST Endpoint Users.find information disclosureRocket.ChatNot DefinedOfficial Fix0.00CVE-2022-32219
09/24/20223.53.4Rocket.Chat Regex MongoDB Query actionLinkHandler information exposureRocket.ChatNot DefinedOfficial Fix0.00CVE-2022-32218
09/16/20223.53.5Genesys PureConnect Interaction Web Tools Chat Service Printable Chat History cross site scriptingPureConnect Interaction Web Tools Chat ServiceNot DefinedNot Defined0.05CVE-2022-37775
09/14/20227.57.4matrix-appservice-irc Channel privileges managementmatrix-appservice-ircNot DefinedOfficial Fix0.04CVE-2022-39203
09/14/20224.54.4matrix-appservice-irc IRC Protocol privileges managementmatrix-appservice-ircNot DefinedOfficial Fix0.00CVE-2022-39202
09/07/20224.44.4Discourse-Chat cross site scriptingDiscourse-ChatNot DefinedOfficial Fix0.04CVE-2022-36057
09/06/20226.16.0chatwoot improper authorizationchatwootNot DefinedOfficial Fix0.04CVE-2022-2901
08/22/20223.63.5WP Social Chat Plugin Setting cross site scriptingWP Social Chat PluginNot DefinedOfficial Fix0.03CVE-2022-2361
08/20/20226.56.4chatwoot cross site scriptingchatwootNot DefinedOfficial Fix0.05CVE-2022-0542
08/19/20225.55.5chatwoot cross site scriptingchatwootNot DefinedOfficial Fix0.05CVE-2022-1021
07/27/20223.33.2WeChat App Address Book wx.searchContacts information disclosureAppNot DefinedNot Defined0.08CVE-2021-40180

430 more entries are not shown

Do you know our Splunk app?

Download it now for free!