CVE-2022-35251 is a stored cross-site scripting (XSS) vulnerability identified in Rocket.chat versions prior to 5.0. The vulnerability arises from improper sanitization of user input in chat messages, allowing an attacker to inject malicious style code into the complete chat window. This style injection enables an adversary to manipulate the visual appearance of the chat interface, block or disable functionality, and hijack the content displayed to targeted users. Because the malicious payloads are stored persistently within chat messages, the attack vector is persistent and triggers automatically whenever the infected message is viewed by a user. The vulnerability requires the attacker to have at least limited privileges (PR:L) and user interaction (UI:R) to trigger, but can affect the confidentiality and integrity of user data by altering displayed content and potentially misleading users. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector with low attack complexity but requiring privileges and user interaction. No known exploits in the wild have been reported to date. The vulnerability was publicly disclosed on September 23, 2022, and fixed in Rocket.chat version 5.0 and later.

For European organizations using Rocket.chat versions prior to 5.0, this vulnerability poses a risk to the confidentiality and integrity of communications. Attackers could manipulate chat content to mislead users, potentially facilitating social engineering, phishing, or spreading misinformation within internal or external communications. The ability to block functionality could disrupt collaboration workflows, impacting productivity. While availability is not directly affected, the trustworthiness of the communication platform could be undermined. Given that Rocket.chat is often used by enterprises, public sector entities, and educational institutions across Europe, exploitation could lead to data leakage or unauthorized information disclosure. The requirement for some privileges and user interaction limits the ease of exploitation but does not eliminate risk, especially in environments with many users and potential insider threats. Persistent XSS also increases risk as malicious payloads remain active until removed, potentially affecting multiple users over time.

European organizations should prioritize upgrading Rocket.chat to version 5.0 or later where this vulnerability is fixed. Until upgrade is possible, organizations should implement strict input validation and sanitization on chat messages, possibly through custom middleware or web application firewalls (WAFs) that can detect and block suspicious style injection payloads. User privileges should be tightly controlled to limit who can send messages with rich content or styles. Security awareness training should emphasize caution when interacting with unexpected or suspicious messages, especially those containing unusual formatting or styles. Monitoring chat logs for anomalous messages and patterns indicative of XSS payloads can help detect exploitation attempts. Additionally, organizations should consider isolating Rocket.chat instances and restricting network access to trusted users to reduce exposure. Regular security assessments and penetration testing focused on chat platforms can help identify residual risks.