Zulip Server Vulnerability: Unauthorized Message Forging by Users with can_forge_sender Permission

Zulip Server Vulnerability: Unauthorized Message Forging by Users with can_forge_sender Permission

CVE-2021-30478 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the same Zulip installation.

Learn more about our Cis Benchmark Audit For Server Software.