An information disclosure vulnerability exists in Rocket.Chat <v4.7.5 which allowed the “users.list” REST endpoint gets a query parameter from JSON and runs Users.find(queryFromClientSide). This means virtually any authenticated user can access any data (except password hashes) of any user authenticated.
[
{
"product": "Rocket.Chat",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "fixed in 4.7.5>"
}
]
}
]