Description
Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured to prevent this.
References (3)
Core 3
Core References
Mailing List mailing-list
x_refsource_mlist
https://groups.google.com/forum/#%21msg/zulip-announce/sUYeJv-fFmg/2TU2TLmNAwAJ
Permissions Required x_refsource_misc
https://hackerone.com/reports/224210
Issue Tracking, Patch x_refsource_misc
https://github.com/zulip/zulip/commit/1f48fa27672170bba3b9a97384905bb04c18761b
Scores
CVSS v3
6.5
EPSS
0.0015
EPSS Percentile
34.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-862
CWE-285
Status
published
Products (20)
Zulip/Zulip Server
1.5.1 and below
zulip/zulip_server
1.3.0
zulip/zulip_server
1.3.1
zulip/zulip_server
1.3.2
zulip/zulip_server
1.3.3
zulip/zulip_server
1.3.4
zulip/zulip_server
1.3.6
zulip/zulip_server
1.3.7
zulip/zulip_server
1.3.8
zulip/zulip_server
1.3.9
... and 10 more
Published
Jun 02, 2017
Tracked Since
Feb 18, 2026