CVE-2025-30368

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-30368

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30368.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-30368

Aliases

GHSA-rmhr-5ffq-qcrc

Published

2025-03-31T16:26:48Z

Modified

2025-11-13T19:54:31.809850Z

Severity

2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Zulip allows the deletion of organization by administrators of a different organization

Details

Zulip is an open-source team collaboration tool. The API for deleting an organization export is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any organization was incorrectly allowed to delete an export of a different organization. This is fixed in Zulip Server 10.1.

Database specific

{
    "cwe_ids": [
        "CWE-566"
    ]
}

References

Affected packages

Git / github.com/zulip/zulip

Affected ranges

Type: GIT
Repo: https://github.com/zulip/zulip
Events: Introduced

404a321799e6ae84231204c69362ec4de3a42f45

Fixed

13e59d590ee7c02059aaaf19181f499caca022c1

Affected versions

10.*

10.0

10.0-beta1

10.0-beta2