CVSS: 8.2EPSS: 0%CPEs: 2EXPL: 0CVE-2023-33186 – Cross-site scripting vulnerability in Zulip Server development branch via topic tooltip
https://notcve.org/view.php?id=CVE-2023-33186
30 May 2023 — Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful. The main development branch of Zulip Server from May 2, 2023 and later, including beta versions 7.0-beta1 and 7.0-beta2, is vulnerable to a cross-site scripting vulnerability in tooltips on the message feed. An attacker who can send messages could maliciously craft a topic for the message, such that a victim who hovers the tooltip for that ... • https://github.com/zulip/zulip/commit/03cfb3d9fe61c975d133121ec31a7357f0c9e18f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28623 – Unauthorized user can register an account in specific configurations in Zulip
https://notcve.org/view.php?id=CVE-2023-28623
19 May 2023 — Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only ones enabled in `AUTHENTICATION_BACKENDS` in `/etc/zulip/settings.py` and 2: The organization permissions don't require invitations to join. An attacker can create a new account in the organization with an arbitrary email address in their control that's not in the organiz... • https://github.com/zulip/zulip/commit/3df1b4dd7c210c21deb6f829df19412b74573f8d • CWE-285: Improper Authorization CWE-862: Missing Authorization •
CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32677 – Users who can send invitations can erroneously add users to streams during invitation in Zulip
https://notcve.org/view.php?id=CVE-2023-32677
19 May 2023 — Zulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to limit who can add users to streams, and separately to limit who can invite users to the organization. In Zulip Server 6.1 and below, the UI which allows a user to invite a new user also allows them to set the streams that the new user is invited to -- even if the inviting user would not have permissions to add an existing user to streams. While such a configuration is likely rare in... • https://github.com/zulip/zulip/commit/7c2693a2c64904d1d0af8503b57763943648cbe5 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22735 – User uploads proxied from S3 lack `Content-Security-Policy` headers, may be served with `Content-Disposition: inline` in zulip
https://notcve.org/view.php?id=CVE-2023-22735
07 Feb 2023 — Zulip is an open-source team collaboration tool. In versions of zulip prior to commit `2f6c5a8` but after commit `04cf68b` users could upload files with arbitrary `Content-Type` which would be served from the Zulip hostname with `Content-Disposition: inline` and no `Content-Security-Policy` header, allowing them to trick other users into executing arbitrary Javascript in the context of the Zulip application. Among other things, this enables session theft. Only deployments which use the S3 storage (not the l... • https://github.com/zulip/zulip/commit/04cf68b45ebb5c03247a0d6453e35ffc175d55da • CWE-436: Interpretation Conflict •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41914 – Non-constant-time SCIM token comparison in Zulip Server
https://notcve.org/view.php?id=CVE-2022-41914
16 Nov 2022 — Zulip is an open-source team collaboration tool. For organizations with System for Cross-domain Identity Management(SCIM) account management enabled, Zulip Server 5.0 through 5.6 checked the SCIM bearer token using a comparator that did not run in constant time. Therefore, it might theoretically be possible for an attacker to infer the value of the token by performing a sophisticated timing analysis on a large number of failing requests. If successful, this would allow the attacker to impersonate the SCIM c... • https://github.com/zulip/zulip/commit/59edbfa4113d140d3e20126bc65f4d67b2a8ffe5 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-203: Observable Discrepancy •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36048 – IP address leak via image proxy bypass in Zulip Server
https://notcve.org/view.php?id=CVE-2022-36048
31 Aug 2022 — Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could include a crafted URL that tricks the server into embedding a remote image reference directly. This could allow the attacker to infer the viewer’s IP address and browser fingerprinting information. This vulnerability is fixed in Zulip Se... • https://github.com/zulip/zulip/security/advisories/GHSA-vg5m-mf9x-j452 • CWE-436: Interpretation Conflict •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-35962 – Crafted link in Zulip message can cause disclosure of credentials
https://notcve.org/view.php?id=CVE-2022-35962
29 Aug 2022 — Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. In Zulip Mobile through version 27.189, a crafted link in a message sent by an authenticated user could lead to credential disclosure if a user follows the link. A patch was released in version 27.190. Zulip es un equipo de chat de código abierto y Zulip Mobile es una aplicación para usuarios de iOS y Android. En Zulip Mobile versiones hasta 27.189, un enlace diseñado en un mensaje enviado por un usuario autenticado podí... • https://blog.zulip.com/2022/08/24/zulip-server-5-6-security-release • CWE-184: Incomplete List of Disallowed Inputs CWE-436: Interpretation Conflict CWE-697: Incorrect Comparison •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4427
https://notcve.org/view.php?id=CVE-2016-4427
28 Jul 2022 — In zulip before 1.3.12, deactivated users could access messages if SSO was enabled. En zulip versiones anteriores a 1.3.12, los usuarios deshabilitados podían acceder a los mensajes si el SSO estaba habilitado • https://zulip.readthedocs.io/en/2.1.7/overview/changelog.html#id35 • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4426
https://notcve.org/view.php?id=CVE-2016-4426
28 Jul 2022 — In zulip before 1.3.12, bot API keys were accessible to other users in the same realm. En zulip versiones anteriores a 1.3.12, las claves de la API de los bots eran accesibles para otros usuarios del mismo reino • https://zulip.readthedocs.io/en/2.1.7/overview/changelog.html#id35 • CWE-284: Improper Access Control •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31168 – Zulip Server insufficient authorization for changing bot roles
https://notcve.org/view.php?id=CVE-2022-31168
22 Jul 2022 — Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server 5.5. Members who don’t own any bots, and lack permission to create them, can’t exploit the vulnerability. As a workaround for the vulnerability, an organization administrator can restrict the `Who can create bots` permission to admi... • https://github.com/zulip/zulip/commit/751b2a03e565e9eb02ffe923b7c24ac73d604034 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •