Description: Room access validation is performed on user provided data. In absence of a check whether a Message is in a certain room, attackers can provide an unrelated Room ID where they have access to (e.g. general) to then star an arbitrary message.
https://hackerone.com/reports/1060837