CVE-2023-32678

EPSS 0.03%
Veröffentlicht 25.08.2023 21:15:08
Zuletzt bearbeitet 21.11.2024 08:03:50
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Users who used to be subscribed to a private stream and have been removed from it since retain the ability to edit messages/topics, move messages to other streams, and delete messages that they used to have access to, if other relevant organization permissions allow these actions. For example, a user may be able to edit or delete their old messages they posted in such a private stream. An administrator will be able to delete old messages (that they had access to) from the private stream. This issue was fixed in Zulip Server version 7.3.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zulip ≫ Zulip Server Version < 7.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.07

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/zulip/zulip/security/advisories/GHSA-q3wg-jm9p-35fj

Third Party Advisory

https://zulip.readthedocs.io/en/latest/overview/changelog.html#zulip-server-7-3

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2023-32678

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-32678

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-32678

EUVD