CVE-2022-23656

Zulip is an open source team chat app. The `main` development branch of Zulip Server from June 2021 and later is vulnerable to a cross-site scripting vulnerability on the recent topics page. An attacker could maliciously craft a full name for their account and send messages to a topic with several participants; a victim who then opens an overflow tooltip including this full name on the recent topics page could trigger execution of JavaScript code controlled by the attacker. Users running a Zulip server from the main branch should upgrade from main (2022-03-01 or later) again to deploy this fix.
Configurations

Configuration 1 (hide)

cpe:2.3:a:zulip:zulip_server:*:*:*:*:*:*:*:*

History

09 Mar 2022, 21:10

Type Values Removed Values Added
CPE cpe:2.3:a:zulip:zulip_server:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 3.5
v3 : 5.4
References (MISC) https://github.com/zulip/zulip/commit/e090027adcbf62737d5b1f83a9618a9500a49321 - (MISC) https://github.com/zulip/zulip/commit/e090027adcbf62737d5b1f83a9618a9500a49321 - Patch, Third Party Advisory
References (CONFIRM) https://github.com/zulip/zulip/security/advisories/GHSA-fc77-h3jc-6mfv - (CONFIRM) https://github.com/zulip/zulip/security/advisories/GHSA-fc77-h3jc-6mfv - Third Party Advisory

02 Mar 2022, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-03-02 21:15

Updated : 2024-02-04 22:29


NVD link : CVE-2022-23656

Mitre link : CVE-2022-23656

CVE.ORG link : CVE-2022-23656


JSON object : View

Products Affected

zulip

  • zulip_server
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')