Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Users who used to be subscribed to a private stream and have been removed from it since retain the ability to edit messages/topics, move messages to other streams, and delete messages that they used to have access to, if other relevant organization permissions allow these actions. For example, a user may be able to edit or delete their old messages they posted in such a private stream. An administrator will be able to delete old messages (that they had access to) from the private stream. This issue was fixed in Zulip Server version 7.3.
Published 2023-08-25 21:15:08
Updated 2023-08-31 18:52:21
Source GitHub, Inc.
View at NVD,   CVE.org
Vulnerability category: BypassGain privilege

Exploit prediction scoring system (EPSS) score for CVE-2023-32678

0.05%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 13 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-32678

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
6.5
MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
2.8
3.6
NIST
6.5
MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
2.8
3.6
GitHub, Inc.

CWE ids for CVE-2023-32678

  • The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
    Assigned by: security-advisories@github.com (Primary)

References for CVE-2023-32678

Products affected by CVE-2023-32678

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!