CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-30487
https://notcve.org/view.php?id=CVE-2021-30487
14 Apr 2021 — In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation. En el tema de mover API en Zulip Server versiones 3.x anteriores a 3.4, unos administradores de la organización pudieron mover mensajes a transmisiones en otras organizaciones alojadas por la misma instalación de Zulip • https://blog.zulip.com/2021/04/14/zulip-server-3-4 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12759
https://notcve.org/view.php?id=CVE-2020-12759
21 Aug 2020 — Zulip Server before 2.1.5 allows reflected XSS via the Dropbox webhook. Zulip Server versiones anteriores a 2.1.5, permite un ataque de tipo XSS reflejado por medio de un webhook de Dropbox. • https://blog.zulip.com/2020/06/17/zulip-server-2-1-5-security-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14194
https://notcve.org/view.php?id=CVE-2020-14194
21 Aug 2020 — Zulip Server before 2.1.5 allows reverse tabnapping via a topic header link. Zulip Server versiones anteriores a 2.1.5, permite tabnapping inverso por medio de un enlace de encabezado de tema. • https://blog.zulip.com/2020/06/17/zulip-server-2-1-5-security-release • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14215
https://notcve.org/view.php?id=CVE-2020-14215
21 Aug 2020 — Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrator role to invitations. Zulip Server versiones anteriores a 2.1.5, presenta un Control de Acceso Incorrecto porque la función 0198_preregistrationuser_invited_as agrega el papel de administrador a las invitaciones. • https://blog.zulip.com/2020/06/17/zulip-server-2-1-5-security-release • CWE-269: Improper Privilege Management •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15070
https://notcve.org/view.php?id=CVE-2020-15070
21 Aug 2020 — Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres database, and chose to write a crafted custom profile field value. Zulip Server versiones 2.x anteriores a 2.1.7, permite una inyección eval si un atacante privilegiado era capaz de escribir directamente en la base de datos de postgres y eligió escribir un valor diseñado del campo de perfil personalizado. • https://blog.zulip.com/2020/06/26/zulip-server-2-1-7-security-release • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9445
https://notcve.org/view.php?id=CVE-2020-9445
20 Apr 2020 — Zulip Server before 2.1.3 allows XSS via the modal_link feature in the Markdown functionality. El servidor Zulip versiones anteriores a 2.1.3, permite un ataque de tipo XSS por medio de la característica modal_link en la funcionalidad Markdown. • https://blog.zulip.org/2020/04/01/zulip-server-2-1-3-security-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9444
https://notcve.org/view.php?id=CVE-2020-9444
20 Apr 2020 — Zulip Server before 2.1.3 allows reverse tabnabbing via the Markdown functionality. El servidor Zulip versiones anteriores a 2.1.3, permite un tabnabbing inverso por medio de la funcionalidad Markdown. • https://blog.zulip.org/2020/04/01/zulip-server-2-1-3-security-release • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-10935
https://notcve.org/view.php?id=CVE-2020-10935
20 Apr 2020 — Zulip Server before 2.1.3 allows XSS via a Markdown link, with resultant account takeover. El servidor Zulip versiones anteriores a la versión 2.1.3, permite un ataque de tipo XSS por medio de un enlace Markdown, con una toma de control de cuenta resultante. • https://blog.zulip.org/2020/04/01/zulip-server-2-1-3-security-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19775
https://notcve.org/view.php?id=CVE-2019-19775
18 Dec 2019 — The image thumbnailing handler in Zulip Server versions 1.9.0 to before 2.0.8 allowed an open redirect that was visible to logged-in users. El controlador del proceso de imágenes miniaturas en el servidor Zulip versiones 1.9.0 anteriores a la versión 2.0.8, permitió un redireccionamiento abierto que era visible para usuarios registrados. • https://blog.zulip.org/2019/12/13/zulip-server-2-0-8-security-release • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18933
https://notcve.org/view.php?id=CVE-2019-18933
21 Nov 2019 — In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication (e.g., GitHub or Google SSO) in an organization that also allows password authentication could have their personal API key stolen by an unprivileged attacker, allowing nearly full access to the user's account. En Zulip Server versiones 1.7.0 anteriores a 2.0.7, un error en el proceso nuevo registro de usuarios, significaba que usuarios que regist... • https://blog.zulip.org/2019/11/21/zulip-2-0-7-security-release •