Skip to main content

Zulip Server CVE-2023-32678

MEDIUM
Improper Authorization (CWE-285)
2023-08-25 security-advisories@github.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Aug 25, 2023 - 21:15 nvd
MEDIUM 6.5

DescriptionNVD

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Users who used to be subscribed to a private stream and have been removed from it since retain the ability to edit messages/topics, move messages to other streams, and delete messages that they used to have access to, if other relevant organization permissions allow these actions. For example, a user may be able to edit or delete their old messages they posted in such a private stream. An administrator will be able to delete old messages (that they had access to) from the private stream. This issue was fixed in Zulip Server version 7.3.

AnalysisAI

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-285. Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Users who used to be subscribed to a private stream and have been removed from it since retain the ability to edit messages/topics, move messages to other streams, and delete messages that they used to have access to, if other relevant organization permissions allow these actions. For example, a user may be able to edit or delete their old messages they posted in such a private stream. An administrator will be able to delete old messages (that they had access to) from the private stream. This issue was fixed in Zulip Server version 7.3. Affected products include: Zulip Zulip Server. Version information: version 7.3..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2022-21706 CRITICAL
9.8 Feb 26

Zulip is an open-source team collaboration tool with topic-based threading. Rated critical severity (CVSS 9.8), this vul

CVE-2019-18933 CRITICAL
9.8 Nov 21

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registere

CVE-2020-10935 MEDIUM POC
5.4 Apr 20

Zulip Server before 2.1.3 allows XSS via a Markdown link, with resultant account takeover. Rated medium severity (CVSS 5

CVE-2017-0910 HIGH
8.8 Nov 27

In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authori

CVE-2020-15070 HIGH
8.8 Aug 21

Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres

CVE-2025-31478 HIGH
8.2 Apr 16

Zulip is an open-source team collaboration tool. Rated high severity (CVSS 8.2), this vulnerability is remotely exploita

CVE-2024-36612 HIGH
7.5 Nov 29

Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the handling of popovers. Rated high severity (CVSS 7.5),

CVE-2020-14215 HIGH
7.5 Aug 21

Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrato

CVE-2025-52559 MEDIUM
6.8 Jul 02

Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL

CVE-2017-0896 MEDIUM
6.5 Jun 02

Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zuli

CVE-2024-27286 MEDIUM
6.5 Mar 20

Zulip is an open-source team collaboration tool. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploi

CVE-2019-16215 MEDIUM
6.5 Sep 18

The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. Rated

Share

CVE-2023-32678 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy