LOW🇵🇱 Wersja polska

CVE-2025-30369

CVSS 2.7v3.1pub. 2025-03-31upd. 2025-09-27

Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any organization was incorrectly allowed to delete custom profile fields belonging to a different organization. This is fixed in Zulip Server 10.1.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
  • Zulip Server

    APP
    Zulip
    1.6.0 – 10.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2019-18933CRITICAL9.8ten sam produkt

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who...

CVE-2025-31478HIGH8.2ten sam produkt

Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limi...

CVE-2024-36612HIGH7.5ten sam produkt

Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the handling of popovers.

CVE-2023-33186HIGH8.2ten sam produkt

Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of em...

CVE-2022-21706HIGH7.2ten sam produkt

Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and abo...