Vulnerability Details CVE-2017-0896
Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured to prevent this.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 36.5%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 4.0
References
- https://github.com/zulip/zulip/commit/1f48fa27672170bba3b9a97384905bb04c18761b
- https://groups.google.com/forum/#%21msg/zulip-announce/sUYeJv-fFmg/2TU2TLmNAwAJ
- https://hackerone.com/reports/224210
- https://github.com/zulip/zulip/commit/1f48fa27672170bba3b9a97384905bb04c18761b
- https://groups.google.com/forum/#%21msg/zulip-announce/sUYeJv-fFmg/2TU2TLmNAwAJ
- https://hackerone.com/reports/224210
Products affected by CVE-2017-0896
-
cpe:2.3:a:zulip:zulip_server:1.3.0
-
cpe:2.3:a:zulip:zulip_server:1.3.1
-
cpe:2.3:a:zulip:zulip_server:1.3.10
-
cpe:2.3:a:zulip:zulip_server:1.3.11
-
cpe:2.3:a:zulip:zulip_server:1.3.12
-
cpe:2.3:a:zulip:zulip_server:1.3.13
-
cpe:2.3:a:zulip:zulip_server:1.3.2
-
cpe:2.3:a:zulip:zulip_server:1.3.3
-
cpe:2.3:a:zulip:zulip_server:1.3.4
-
cpe:2.3:a:zulip:zulip_server:1.3.6
-
cpe:2.3:a:zulip:zulip_server:1.3.7
-
cpe:2.3:a:zulip:zulip_server:1.3.8
-
cpe:2.3:a:zulip:zulip_server:1.3.9
-
cpe:2.3:a:zulip:zulip_server:1.4.0
-
cpe:2.3:a:zulip:zulip_server:1.4.1
-
cpe:2.3:a:zulip:zulip_server:1.4.2
-
cpe:2.3:a:zulip:zulip_server:1.4.3
-
cpe:2.3:a:zulip:zulip_server:1.5.0
-
cpe:2.3:a:zulip:zulip_server:1.5.1