Skip to main content

Zulip Server CVE-2017-0910

HIGH
Incorrect Authorization (CWE-863)
2017-11-27 support@hackerone.com
8.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 27, 2017 - 16:29 cve.org
HIGH 8.8

DescriptionCVE.org

In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm.

AnalysisAI

In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Technical ContextAI

This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm. Affected products include: Zulip Zulip Server. Version information: before 1.7.1.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.

CVE-2022-21706 CRITICAL
9.8 Feb 26

Zulip is an open-source team collaboration tool with topic-based threading. Rated critical severity (CVSS 9.8), this vul

CVE-2019-18933 CRITICAL
9.8 Nov 21

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registere

CVE-2020-10935 MEDIUM POC
5.4 Apr 20

Zulip Server before 2.1.3 allows XSS via a Markdown link, with resultant account takeover. Rated medium severity (CVSS 5

CVE-2020-15070 HIGH
8.8 Aug 21

Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres

CVE-2025-31478 HIGH
8.2 Apr 16

Zulip is an open-source team collaboration tool. Rated high severity (CVSS 8.2), this vulnerability is remotely exploita

CVE-2024-36612 HIGH
7.5 Nov 29

Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the handling of popovers. Rated high severity (CVSS 7.5),

CVE-2020-14215 HIGH
7.5 Aug 21

Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrato

CVE-2025-52559 MEDIUM
6.8 Jul 02

Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL

CVE-2017-0896 MEDIUM
6.5 Jun 02

Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zuli

CVE-2024-27286 MEDIUM
6.5 Mar 20

Zulip is an open-source team collaboration tool. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi

CVE-2023-32678 MEDIUM
6.5 Aug 25

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Rated medium se

CVE-2019-16215 MEDIUM
6.5 Sep 18

The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. Rated

Share

CVE-2017-0910 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy