2021-04-15 02:15:00 2021-04-20 02:05:00

An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the same Zulip installation.

Vector

NETWORK

Complexity

LOW

Authentication

SINGLE

Confidentiality

NONE

Integrity

PARTIAL

Availability

NONE