CVE-2023-33186 Information
Description
Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful. The main development branch of Zulip Server from May 2 2023 and later including beta versions 7.0-beta1 and 7.0-beta2 is vulnerable to a cross-site scripting vulnerability in tooltips on the message feed. An attacker who can send messages could maliciously craft a topic for the message such that a victim who hovers the tooltip for that topic in their message feed triggers execution of JavaScript code controlled by the attacker.
Reference
https://github.com/zulip/zulip/commit/3ca131743b00f42bad8edbac4ef92656d954c629 https://github.com/zulip/zulip/commit/903dbda79bd176702d3175a7c8a5450a64b6eccb https://github.com/zulip/zulip/security/advisories/GHSA-4r83-8f94-hrph https://github.com/zulip/zulip/pull/25370
Share on: