CVE-2017-0896

MEDIUM

Zulip Server <1.5.1 - Privilege Escalation

Title source: llm

Description

Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured to prevent this.

References (3)

[Issue Tracking, Patch] https://github.com/zulip/zulip/commit/1f48fa27672170bba3b9a97384905bb04c18761b

View Patch ZIP pw:eip

[Mailing List] https://groups.google.com/forum/#%21msg/zulip-announce/sUYeJv-fFmg/2TU2TLmNAwAJ

[Permissions Required] https://hackerone.com/reports/224210

Scores

CVSS v3 6.5

EPSS 0.0015

EPSS Percentile 35.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-862 CWE-285

Status published

Products (20)

zulip/zulip_server

zulip/zulip_server

zulip/zulip_server

zulip/zulip_server

zulip/zulip_server

zulip/zulip_server

zulip/zulip_server

zulip/zulip_server

zulip/zulip_server

zulip/zulip_server

... and 10 more

Published Jun 02, 2017

Tracked Since Feb 18, 2026