What the vulnerability does

01Description

An information disclosure vulnerability exists in Rocket.Chat <v4.7.5 which allowed the "users.list" REST endpoint gets a query parameter from JSON and runs Users.find(queryFromClientSide). This means virtually any authenticated user can access any data (except password hashes) of any user authenticated.

Key dates

02Disclosure timeline

September 23, 2022 CVE published
May 22, 2025 Record updated