Information Disclosure Vulnerability in Rocket.Chat <v4.7.5

Information Disclosure Vulnerability in Rocket.Chat <v4.7.5

CVE-2022-32219 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

An information disclosure vulnerability exists in Rocket.Chat <v4.7.5 which allowed the "users.list" REST endpoint gets a query parameter from JSON and runs Users.find(queryFromClientSide). This means virtually any authenticated user can access any data (except password hashes) of any user authenticated.

Learn more about our User Device Pen Test.