This article is a part of our Vulnerability Database (back to index)
Cross-site Scripting occurrences in Zulip Server
Zulip is an open source team chat app. The `main` development branch of Zulip Server from June 2021 and later is vulnerable to a cross-site scripting vulnerability on the recent topics page. An attacker could maliciously craft a full name for their account and send messages to a topic with several participants; a victim who then opens an overflow tooltip including this full name on the recent topics page could trigger execution of JavaScript code controlled by the attacker. Users running a Zulip server from the main branch should upgrade from main (2022-03-01 or later) again to deploy this fix. (2022-03-02, CVE-2022-23656)
Zulip Server before 2.1.5 allows reflected XSS via the Dropbox webhook. (2020-08-21, CVE-2020-12759)
Zulip Server before 2.1.3 allows XSS via a Markdown link, with resultant account takeover. (2020-04-20, CVE-2020-10935)
Zulip Server before 2.1.3 allows XSS via the modal_link feature in the Markdown functionality. (2020-04-20, CVE-2020-9445)
Zulip server before 2.0.5 incompletely validated the MIME types of uploaded files. A user who is logged into the server could upload files of certain types to mount a stored cross-site scripting attack on other logged-in users. On a Zulip server using the default local uploads backend, the attack is only effective against browsers lacking support for Content-Security-Policy such as Internet Explorer 11. On a Zulip server using the S3 uploads backend, the attack is confined to the origin of the configured S3 uploads hostname and cannot reach the Zulip server itself. (2019-09-18, CVE-2019-16216)
In Zulip Server versions 1.5.x, 1.6.x, and 1.7.x before 1.7.2, there was an XSS issue with muting notifications. (2018-04-18, CVE-2018-9987)
In Zulip Server versions before 1.7.2, there was an XSS issue with stream names in topic typeahead. (2018-04-18, CVE-2018-9990)
In Zulip Server versions before 1.7.2, there was an XSS issue with user uploads and the (default) LOCAL_UPLOADS_DIR storage backend. (2018-04-18, CVE-2018-9999)
In Zulip Server versions before 1.7.2, there were XSS issues with the frontend markdown processor. (2018-04-18, CVE-2018-9986)
Why Cross-site Scripting can be dangerous
Cross site scripting is an attack where a web page executes code that is injected by an adversary. It usually appears, when users input is presented. This attack can be used to impersonate a user, take over control of the session, or even steal API keys.
The attack can be executed e.g. when you application injects the request parameter directly into the HTML code of the page returned to the user:
https://server.com/confirmation?message=Transaction+Complete
what results in:
<span>Confirmation: Transaction Complete</span>
In that case the message can be modified to become a valid Javascript code, e.g.:
https://server.com/confirmation?message=<script>dangerous javascript code here</script>
and it will be executed locally by the user's browser with full access to the user's personal application/browser data:
<span>Confirmation: <script>dangerous javascript code here</script></span>