CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9445
https://notcve.org/view.php?id=CVE-2020-9445
20 Apr 2020 — Zulip Server before 2.1.3 allows XSS via the modal_link feature in the Markdown functionality. El servidor Zulip versiones anteriores a 2.1.3, permite un ataque de tipo XSS por medio de la característica modal_link en la funcionalidad Markdown. • https://blog.zulip.org/2020/04/01/zulip-server-2-1-3-security-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9444
https://notcve.org/view.php?id=CVE-2020-9444
20 Apr 2020 — Zulip Server before 2.1.3 allows reverse tabnabbing via the Markdown functionality. El servidor Zulip versiones anteriores a 2.1.3, permite un tabnabbing inverso por medio de la funcionalidad Markdown. • https://blog.zulip.org/2020/04/01/zulip-server-2-1-3-security-release • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-10935
https://notcve.org/view.php?id=CVE-2020-10935
20 Apr 2020 — Zulip Server before 2.1.3 allows XSS via a Markdown link, with resultant account takeover. El servidor Zulip versiones anteriores a la versión 2.1.3, permite un ataque de tipo XSS por medio de un enlace Markdown, con una toma de control de cuenta resultante. • https://blog.zulip.org/2020/04/01/zulip-server-2-1-3-security-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-19775
https://notcve.org/view.php?id=CVE-2019-19775
18 Dec 2019 — The image thumbnailing handler in Zulip Server versions 1.9.0 to before 2.0.8 allowed an open redirect that was visible to logged-in users. El controlador del proceso de imágenes miniaturas en el servidor Zulip versiones 1.9.0 anteriores a la versión 2.0.8, permitió un redireccionamiento abierto que era visible para usuarios registrados. • https://blog.zulip.org/2019/12/13/zulip-server-2-0-8-security-release • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-18933
https://notcve.org/view.php?id=CVE-2019-18933
21 Nov 2019 — In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication (e.g., GitHub or Google SSO) in an organization that also allows password authentication could have their personal API key stolen by an unprivileged attacker, allowing nearly full access to the user's account. En Zulip Server versiones 1.7.0 anteriores a 2.0.7, un error en el proceso nuevo registro de usuarios, significaba que usuarios que regist... • https://blog.zulip.org/2019/11/21/zulip-2-0-7-security-release •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16216
https://notcve.org/view.php?id=CVE-2019-16216
18 Sep 2019 — Zulip server before 2.0.5 incompletely validated the MIME types of uploaded files. A user who is logged into the server could upload files of certain types to mount a stored cross-site scripting attack on other logged-in users. On a Zulip server using the default local uploads backend, the attack is only effective against browsers lacking support for Content-Security-Policy such as Internet Explorer 11. On a Zulip server using the S3 uploads backend, the attack is confined to the origin of the configured S3... • https://blog.zulip.org/2019/09/11/zulip-server-2-0-5-security-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16215
https://notcve.org/view.php?id=CVE-2019-16215
18 Sep 2019 — The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. A user who is logged into the server could send a crafted message causing the server to spend an effectively arbitrary amount of CPU time and stall the processing of future messages. El analizador Markdown en el servidor Zulip versiones anteriores a 2.0.5, usó una expresión regular vulnerable al backtracking exponencial. Un usuario que haya iniciado sesión en el servidor podría enviar un mensaj... • https://blog.zulip.org/2019/09/11/zulip-server-2-0-5-security-release • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-9986
https://notcve.org/view.php?id=CVE-2018-9986
18 Apr 2018 — In Zulip Server versions before 1.7.2, there were XSS issues with the frontend markdown processor. En las versiones anteriores a la 1.7.2 de Zulip Server, había problemas de Cross-Site Scripting (XSS) con el procesador de marcado del frontend. • https://blog.zulip.org/2018/04/12/zulip-1-7-2-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-9987
https://notcve.org/view.php?id=CVE-2018-9987
18 Apr 2018 — In Zulip Server versions 1.5.x, 1.6.x, and 1.7.x before 1.7.2, there was an XSS issue with muting notifications. En las versiones 1.5.x, 1.6.x y 1.7.x anteriores a la 1.7.2 de Zulip Server, había un problema de Cross-Site Scripting (XSS) al silenciar notificaciones. • https://blog.zulip.org/2018/04/12/zulip-1-7-2-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-9990
https://notcve.org/view.php?id=CVE-2018-9990
18 Apr 2018 — In Zulip Server versions before 1.7.2, there was an XSS issue with stream names in topic typeahead. En las versiones anteriores a la 1.7.2 de Zulip Server, había un problema de Cross-Site Scripting (XSS) con los nombres de transmisión en la escritura anticipada de temas. • https://blog.zulip.org/2018/04/12/zulip-1-7-2-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •