CVE-2024-27286

Summary

CVE-2024-27286 is a vulnerability affecting Zulip, an open-source team collaboration tool. When a user moves a message from a public stream to a private one, the message remains visible in the public stream for active users who don't have access to the private stream, until they reload their client. Additionally, these users retain view permissions on the message, allowing it to appear in search results and the "All messages" view. Introduced in Zulip version 3.0, this issue gained significance when the default option for moving the last message in a conversation changed to this method in version 8.0. The vulnerability has been patched in Zulip Server 8.3, with no known workarounds currently available.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.