Paulocsanz

**Name of the Vulnerable Software and Affected Versions** Rocket.Chat versions prior to 4.7.5 **Description** An information disclosure issue exists, allowing virtually any authenticated user to access any data, except password hashes, of any other authenticated user. This is due to the "users.list" REST endpoint processing a query parameter from JSON and executing Users.find(queryFromClientSide). **Recommendations** For versions prior to 4.7.5, update to version 4.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "users.list" REST endpoint to minimize the risk of exploitation.