In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first…

A NoSQL injection vulnerability in multiple versions of Rocket.Chat can lead to account takeover of the first user with a generated token when an OAuth app is configured. The vulnerability affects versions prior to 8.3.0, 8.2.1, 8.1.2, 8.0.3, 7.13.5, 7.12.6, 7.11.6, and 7.10.9. This is a critical security flaw that allows attackers to compromise user accounts through NoSQL injection attacks. The vulnerability specifically targets OAuth configurations and can result in complete account takeover. Patches are available in the specified fixed versions.