CVE-2022-35962
Crafted link in Zulip message can cause disclosure of credentials
Severity Score
5.7
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. In Zulip Mobile through version 27.189, a crafted link in a message sent by an authenticated user could lead to credential disclosure if a user follows the link. A patch was released in version 27.190.
Zulip es un equipo de chat de código abierto y Zulip Mobile es una aplicación para usuarios de iOS y Android. En Zulip Mobile versiones hasta 27.189, un enlace diseñado en un mensaje enviado por un usuario autenticado podía conllevar a una revelación de credenciales si un usuario seguía el enlace. Ha sido publicado un parche en versión 27.190
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-07-15 CVE Reserved
- 2022-08-29 CVE Published
- 2024-08-03 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-184: Incomplete List of Disallowed Inputs
- CWE-436: Interpretation Conflict
- CWE-697: Incorrect Comparison
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/zulip/zulip-mobile/releases/tag/v27.190 | Third Party Advisory | |
| https://github.com/zulip/zulip-mobile/security/advisories/GHSA-4gj2-j32x-4wg5 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://blog.zulip.com/2022/08/24/zulip-server-5-6-security-release | 2022-09-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Zulip Search vendor "Zulip" | Zulip Search vendor "Zulip" for product "Zulip" | < 27.190 Search vendor "Zulip" for product "Zulip" and version " < 27.190" | android |
Affected
| ||||||
| Zulip Search vendor "Zulip" | Zulip Search vendor "Zulip" for product "Zulip" | < 27.190 Search vendor "Zulip" for product "Zulip" and version " < 27.190" | iphone_os |
Affected
| ||||||