It is possible to elevate privileges for any authenticated user to view permissions matrix and view Direct messages without appropriate permissions.

Description: ===================== For the user with "View Private Room" permission only it is possible to rewrite permission role (e.g. to admin) in /api/v1/me method response via some proxy tools (e.g. Charles) and get access to server`s permissions matrix and view Direct messages. Releases Affected: ===================== Tested on 3.3.3 Steps To Reproduce (from initial installation to vulnerability): ===================== Leave existing "Guest" role with only "View Private Room" permission and associate newly created user with it . Install Charles or another network proxy Enable local SSL proxy. Turn on the rewrite tool and edit body response "roles" parameter to admin ("roles": ["admin"]) for /api/v1/me method. Reload Rocket page. Now you can get https://your_server/admin/permissions page with current server`s permissions. Now you can receive Direct Messages even if "View Direct Messages" permissions is disabled for you. Impact ===================== The user which is not meant to be able to participate in Direct Messaging gains the ability to do so and also gets access to the server`s permissions scheme. This issue has been fixed in 5.0> ---------------------