CVE-2023-32678

EPSS 0.03%
Published 25.08.2023 21:15:08
Last modified 21.11.2024 08:03:50
Source security-advisories@github.com
Teams watchlist Login
Open Login

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Users who used to be subscribed to a private stream and have been removed from it since retain the ability to edit messages/topics, move messages to other streams, and delete messages that they used to have access to, if other relevant organization permissions allow these actions. For example, a user may be able to edit or delete their old messages they posted in such a private stream. An administrator will be able to delete old messages (that they had access to) from the private stream. This issue was fixed in Zulip Server version 7.3.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Zulip ≫ Zulip Server Version < 7.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.03%	0.07

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/zulip/zulip/security/advisories/GHSA-q3wg-jm9p-35fj

Third Party Advisory

https://zulip.readthedocs.io/en/latest/overview/changelog.html#zulip-server-7-3

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2023-32678

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-32678

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-32678

EUVD