Vulnerabilities > CVE-2017-0896 - Missing Authorization vulnerability in Zulip Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured to prevent this.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/zulip/zulip/commit/1f48fa27672170bba3b9a97384905bb04c18761b
- https://github.com/zulip/zulip/commit/1f48fa27672170bba3b9a97384905bb04c18761b
- https://groups.google.com/forum/#%21msg/zulip-announce/sUYeJv-fFmg/2TU2TLmNAwAJ
- https://groups.google.com/forum/#%21msg/zulip-announce/sUYeJv-fFmg/2TU2TLmNAwAJ
- https://hackerone.com/reports/224210
- https://hackerone.com/reports/224210