CVE-2022-35249 Information

Description

A information disclosure vulnerability exists in Rocket.Chat <v5 where the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.

Reference

https://hackerone.com/reports/1410246