Filtered by vendor Zulip
Subscriptions
Filtered by product Zulip Server
Subscriptions
Total
31 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-10935 | 1 Zulip | 1 Zulip Server | 2020-04-28 | 5.4 Medium |
| Zulip Server before 2.1.3 allows XSS via a Markdown link, with resultant account takeover. | ||||
| CVE-2020-9444 | 1 Zulip | 1 Zulip Server | 2020-04-28 | 6.1 Medium |
| Zulip Server before 2.1.3 allows reverse tabnabbing via the Markdown functionality. | ||||
| CVE-2020-9445 | 1 Zulip | 1 Zulip Server | 2020-04-27 | 6.1 Medium |
| Zulip Server before 2.1.3 allows XSS via the modal_link feature in the Markdown functionality. | ||||
| CVE-2019-19775 | 1 Zulip | 1 Zulip Server | 2019-12-18 | 6.1 Medium |
| The image thumbnailing handler in Zulip Server versions 1.9.0 to before 2.0.8 allowed an open redirect that was visible to logged-in users. | ||||
| CVE-2017-0910 | 1 Zulip | 1 Zulip Server | 2019-10-09 | N/A |
| In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm. | ||||
| CVE-2017-0881 | 1 Zulip | 1 Zulip Server | 2019-10-09 | N/A |
| An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to join. The issue affects all previously released versions of the Zulip server. | ||||
| CVE-2019-16216 | 1 Zulip | 1 Zulip Server | 2019-09-18 | 5.4 Medium |
| Zulip server before 2.0.5 incompletely validated the MIME types of uploaded files. A user who is logged into the server could upload files of certain types to mount a stored cross-site scripting attack on other logged-in users. On a Zulip server using the default local uploads backend, the attack is only effective against browsers lacking support for Content-Security-Policy such as Internet Explorer 11. On a Zulip server using the S3 uploads backend, the attack is confined to the origin of the configured S3 uploads hostname and cannot reach the Zulip server itself. | ||||
| CVE-2018-9990 | 1 Zulip | 1 Zulip Server | 2018-05-21 | N/A |
| In Zulip Server versions before 1.7.2, there was an XSS issue with stream names in topic typeahead. | ||||
| CVE-2018-9987 | 1 Zulip | 1 Zulip Server | 2018-05-21 | N/A |
| In Zulip Server versions 1.5.x, 1.6.x, and 1.7.x before 1.7.2, there was an XSS issue with muting notifications. | ||||
| CVE-2018-9999 | 1 Zulip | 1 Zulip Server | 2018-05-17 | N/A |
| In Zulip Server versions before 1.7.2, there was an XSS issue with user uploads and the (default) LOCAL_UPLOADS_DIR storage backend. | ||||
| CVE-2018-9986 | 1 Zulip | 1 Zulip Server | 2018-05-17 | N/A |
| In Zulip Server versions before 1.7.2, there were XSS issues with the frontend markdown processor. | ||||