Zulip Server Payment Method Modification Vulnerability for Non-Billing Users

A vulnerability in Zulip Server's payment processing system allowed non-billing organization members to change the default payment method for their organization. This issue arose because the API endpoint for initiating a card update session during the upgrade process was accessible to users with only organization member privileges. When the related Stripe Checkout session was completed, the Stripe webhook would update the organization's payment method without enforcing a billing-specific authorization check. This vulnerability affected Zulip Server versions through 5.0 and has been patched in version 12.0.

Impact

Exploitation of this vulnerability allowed non-billing users to unauthorizedly change the organization's default payment method, potentially leading to unauthorized charges or payment method management.

Reproduction

To reproduce this vulnerability, a user with organization member privileges (but not billing access) can initiate a card update session through the vulnerable API endpoint. After the Stripe Checkout session is completed, the associated Stripe webhook will update the organization's payment method, reflecting the unauthorized change.

Remediation

Users can upgrade to Zulip Server version 12.0 or apply the patch available in commit bf28c82dc9b1f630fa8e9106358771b20a0040f7. Self-hosted deployments do not require any action.