SSRF - bypassing blacklist
Despite introducing blacklist (https://github.com/RocketChat/Rocket.Chat/issues/1990) for links preview, it was still possible to provide domain that resolves to prohibited addresses - e.g. by setting your own domain or using service like http://xip.io.
Privilege escalation via misconfigured MongoDB
Point your domain to server running
redirect.rb and then send a message with proper url to perform attack:
It affects MongoDB with with enabled HTTP interface (
--rest argument), although it’s not enabled by default since 1.4.