Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments originating from web-public streams can still be retrieved anonymously. As a result, file contents remain accessible even after public access is intended to be disabled. Similarly, even after spectator access is disabled, the /users/me/<stream_id>/topics endpoint remains reachable anonymously, allowing retrieval of topic history for web-public streams. This issue has been patched in version 11.6. This issue has been patched in version 11.6.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NZulip
APPZulip1.4.0 – 11.6 (bez)
Related vulnerabilities
Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. In Zulip Mobile throug...
In zulip before 1.3.12, deactivated users could access messages if SSO was enabled.
Improper Access Control in GitHub repository zulip/zulip prior to 4.10.
Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. ...
Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import...