Zulip Server
CVE-2020-14215
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrator role to invitations.
AnalysisAI
Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrator role to invitations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Improper Privilege Management (CWE-269), which allows attackers to escalate privileges to gain unauthorized elevated access. Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrator role to invitations. Affected products include: Zulip Zulip Server. Version information: before 2.1.5.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply principle of least privilege, validate privilege transitions, implement proper role separation.
More in Zulip Server
View allZulip is an open-source team collaboration tool with topic-based threading. Rated critical severity (CVSS 9.8), this vul
In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registere
Zulip Server before 2.1.3 allows XSS via a Markdown link, with resultant account takeover. Rated medium severity (CVSS 5
In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authori
Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres
Zulip is an open-source team collaboration tool. Rated high severity (CVSS 8.2), this vulnerability is remotely exploita
Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the handling of popovers. Rated high severity (CVSS 7.5),
Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL
Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zuli
Zulip is an open-source team collaboration tool. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi
Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Rated medium se
The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. Rated
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today