{"id":"CVE-2017-0896","details":"Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured to prevent this.","modified":"2026-04-10T03:55:56.958846Z","published":"2017-06-02T17:29:00.167Z","references":[{"type":"WEB","url":"https://groups.google.com/forum/#%21msg/zulip-announce/sUYeJv-fFmg/2TU2TLmNAwAJ"},{"type":"REPORT","url":"https://hackerone.com/reports/224210"},{"type":"FIX","url":"https://github.com/zulip/zulip/commit/1f48fa27672170bba3b9a97384905bb04c18761b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zulip/zulip","events":[{"introduced":"0"},{"last_affected":"b69c6228af03634061cba29f3aa7200c14e7c626"},{"introduced":"0"},{"last_affected":"aeb6a5df7c2d88da7c4fde82df0ba5b0686f8080"},{"introduced":"0"},{"last_affected":"974a9bd0f3eabcccd091ce0fe274b982b785fd23"},{"introduced":"0"},{"last_affected":"f0add4638ca7c8372dde4781f034ac79c4740f3c"},{"introduced":"0"},{"last_affected":"e5f7000a23cba9cb3f462e65f013b4e10af75858"},{"introduced":"0"},{"last_affected":"bec3c0943afb45e86d8bd5a6c6f6cf3572ad4a64"},{"introduced":"0"},{"last_affected":"54c964a33211ebf8325b3debec053734e79ca65b"},{"introduced":"0"},{"last_affected":"ac35d268684189e59122a4a9b6423b943831ab51"},{"introduced":"0"},{"last_affected":"5fa6260ae895f9b314910df3354b3282bf44fc54"},{"introduced":"0"},{"last_affected":"e1e7ea01ca6d9dda3225f24ccdfaa844d047bda2"},{"introduced":"0"},{"last_affected":"5ffe1439eb684f5dfe76ad34a67c11f7c8f64fe9"},{"introduced":"0"},{"last_affected":"90634356cb9d3e7772d80330a7e9f9dde958870a"},{"introduced":"0"},{"last_affected":"4958828747281f7b40d786a99d82eda7614ffa1e"},{"introduced":"0"},{"last_affected":"7e4caf3a67a6542714760e4e93f192494905aa05"},{"introduced":"0"},{"last_affected":"f6975f93344a9ce4750bf2967cf84b07a666ea30"},{"introduced":"0"},{"last_affected":"8cc7642cddc8e8fab7a8583f1036232e4e289e2a"},{"introduced":"0"},{"last_affected":"a063dd3b26f7ada794e14ace0d24ea1834611446"},{"introduced":"0"},{"last_affected":"e79520c5930a5a3ed1279732dcb8839f2ae8c5f0"},{"introduced":"0"},{"last_affected":"bd01b1e2e4cac3117d5d042aa7ae686bc0573f9d"},{"fixed":"1f48fa27672170bba3b9a97384905bb04c18761b"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.3.0"},{"introduced":"0"},{"last_affected":"1.3.1"},{"introduced":"0"},{"last_affected":"1.3.2"},{"introduced":"0"},{"last_affected":"1.3.3"},{"introduced":"0"},{"last_affected":"1.3.4"},{"introduced":"0"},{"last_affected":"1.3.6"},{"introduced":"0"},{"last_affected":"1.3.7"},{"introduced":"0"},{"last_affected":"1.3.8"},{"introduced":"0"},{"last_affected":"1.3.9"},{"introduced":"0"},{"last_affected":"1.3.10"},{"introduced":"0"},{"last_affected":"1.3.11"},{"introduced":"0"},{"last_affected":"1.3.12"},{"introduced":"0"},{"last_affected":"1.3.13"},{"introduced":"0"},{"last_affected":"1.4.0"},{"introduced":"0"},{"last_affected":"1.4.1"},{"introduced":"0"},{"last_affected":"1.4.2"},{"introduced":"0"},{"last_affected":"1.4.3"},{"introduced":"0"},{"last_affected":"1.5.0"},{"introduced":"0"},{"last_affected":"1.5.1"}]}}],"versions":["1.3.0","1.3.1","1.3.10","1.3.11","1.3.12","1.3.13","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.3.8","1.3.9","1.4.0","1.4.1","1.4.2","1.4.3","1.5.0","1.5.1","enterprise-1.1.5","enterprise-1.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-0896.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}