Primary

Context

Zulip Server Organization Export Deletion Vulnerability

Vulnerability

Patched

A vulnerability in Zulip Server's export deletion API allowed organization administrators to delete exports from other organizations. The issue arose because the API did not properly verify that the export belonged to the same organization as the user. This flaw was present in Zulip Server 10.0 and was fixed in version 10.1.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of organization export data.

Reproduction

To reproduce this vulnerability, an administrator of one organization can use the export deletion API to remove an export from a different organization, bypassing the intended restrictions.

Remediation

Users can upgrade to Zulip Server 10.1 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.8

remediation

8.3

relevance

0.0

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.8

remediation

8.3

relevance

0.0

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zulip Server Organization Export Deletion Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Zulip Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating