CVE-2025-30368

Low CVSS: 2.7

Zulip is an open-source team collaboration tool. The API for deleting an organization export is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any organization was incorrectly allowed to delete an export of a different organization. This is fixed in Zulip Server 10.1.

Vendor

Zulip

Product

Zulip

CWE

CWE-566

Yayın Tarihi

2025-03-31 17:15:42

Güncelleme

2025-08-27 01:51:53

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-566 Zulip LOW Zulip 2025

Referanslar

https://github.com/zulip/zulip/commit/07dcee36b2a34d63429d7a706f880628cf3433df https://github.com/zulip/zulip/security/advisories/GHSA-rmhr-5ffq-qcrc https://zulip.readthedocs.io/en/latest/overview/changelog.html#zulip-server-10-1

Benzer Kayıtlar

Low

CVE-2026-24050

Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profil…

Medium

CVE-2025-52559

Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL…

Medium

CVE-2025-47930

Zulip is an open-source team chat application. Starting in version 10.0 and prior to version 10.3, the "Who can create p…

High

CVE-2025-31478

Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely…

Low

CVE-2025-30369

Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed t…

Medium

CVE-2025-27149

Zulip server provides an open-source team chat that helps teams stay productive and focused. Prior to 10.0, the data exp…