CVE-2025-30369
LOWDescription
Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any organization was incorrectly allowed to delete custom profile fields belonging to a different organization. This is fixed in Zulip Server 10.1.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| zulip | zulip_server |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2025-30369? +
How severe is CVE-2025-30369? +
What products are affected by CVE-2025-30369? +
How do I check if I'm vulnerable to CVE-2025-30369? +
Related Vulnerabilities
An issue was discovered in Subrion CMS 4.2.1, allowing authenticated adminitrators or moderators with access to the built-in Run SQL …
Zulip is an open-source team collaboration tool. The API for deleting an organization export is supposed to be restricted to …
SQL-Injection in Harbor allows priviledge users to leak the task IDs
Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able …
Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the handling of popovers.
Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL of …