Zulip is an open source team chat app. The `main` development branch of Zulip Server from June 2021 and later is vulnerable to a cross-site scripting vulnerability on the recent topics page. An attacker could maliciously craft a full name for their account and send messages to a topic with several participants; a victim who then opens an overflow tooltip including this full name on the recent topics page could trigger execution of JavaScript code controlled by the attacker. Users running a Zulip server from the main branch should upgrade from main (2022-03-01 or later) again to deploy this fix.
References
Link | Resource |
---|---|
https://github.com/zulip/zulip/commit/e090027adcbf62737d5b1f83a9618a9500a49321 | Patch Third Party Advisory |
https://github.com/zulip/zulip/security/advisories/GHSA-fc77-h3jc-6mfv | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-03-02T20:25:10
Updated: 2022-03-02T20:25:10
Reserved: 2022-01-19T00:00:00
Link: CVE-2022-23656
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-03-02T21:15:08.160
Modified: 2022-03-09T21:10:56.777
Link: CVE-2022-23656
JSON object: View
Redhat Information
No data.
CWE