CVE-2021-43791

Name of the Vulnerable Software and Affected Versions: Zulip versions prior to 4.8

Description: Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions, expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A confirmation link takes a user to the check prereg key and redirect endpoint, before getting redirected to POST to /accounts/register/. The problem was that validation was happening in the check prereg key and redirect part and not in /accounts/register/ - meaning that one could submit an expired confirmation key and be able to register.

Recommendations: For versions prior to 4.8, upgrade to Zulip 4.8 as soon as possible, as there are no known workarounds for this issue.