CVE-2023-28357 Information

Description

A vulnerability has been identified in Rocket.Chat where the ACL checks in the Slash Command /mute occur after checking whether a user is a member of a given channel leaking private channel members to unauthorized users. This allows authenticated users to enumerate whether a username is a member of a channel that they do not have access to.

Reference

https://hackerone.com/reports/1445810