CVE-2023-28623

Name of the Vulnerable Software and Affected Versions Zulip versions prior to 6.2

Description Zulip is an open-source team collaboration tool with unique topic-based threading. An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organization's LDAP directory, given that ZulipLDAPAuthBackend and an external authentication backend are the only ones enabled in AUTHENTICATION BACKENDS in /etc/zulip/settings.py and the organization permissions don't require invitations to join. The impact is limited to installations with this specific combination of authentication backends and having Invitations are required for joining this organization organization permission disabled.

Recommendations For versions prior to 6.2, upgrade to version 6.2 to address the issue. As a temporary workaround for users unable to upgrade, enable the Invitations are required for joining this organization organization permission to prevent this issue.