CVE-2022-32219
CVE-2022-32219 describes an information disclosure in Rocket.Chat prior to 4.7.5 where the REST endpoint users.list accepts a query parameter from JSON and executes it via Users.find(queryFromClientSide) . This allows virtually any authenticated user to access data from the users collection (exce...