What is CVE-2019-16216?

CVE-2019-16216 refers to a vulnerability in the Zulip server before version 2.0.5 that incompletely validates the MIME types of uploaded files, allowing for a stored cross-site scripting attack.

How severe is CVE-2019-16216?

CVE-2019-16216 has a severity rating of 5.4, which is considered medium.

How does CVE-2019-16216 affect Zulip server?

CVE-2019-16216 affects Zulip server versions before 2.0.5 by allowing logged-in users to upload certain file types and mount a stored cross-site scripting attack on other logged-in users.

What is the fix for CVE-2019-16216?

To fix CVE-2019-16216, it is recommended to update the Zulip server to version 2.0.5 or later.

What is the CWE ID for CVE-2019-16216?

The CWE ID for CVE-2019-16216 is 79.

Vulnerability/
CVE-2019-16216

medium

5.4

CWE

18/9/2019

5/8/2024

CVE-2019-16216: XSS

First published: Wed Sep 18 2019(Updated: )

Zulip server before 2.0.5 incompletely validated the MIME types of uploaded files. A user who is logged into the server could upload files of certain types to mount a stored cross-site scripting attack on other logged-in users. On a Zulip server using the default local uploads backend, the attack is only effective against browsers lacking support for Content-Security-Policy such as Internet Explorer 11. On a Zulip server using the S3 uploads backend, the attack is confined to the origin of the configured S3 uploads hostname and cannot reach the Zulip server itself.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Zulip Server	>=1.8.0<2.0.5

Remedy

https://github.com/zulip/zulip/commit/1195841dfb9aa26b3b0dabc6f05d72e4af25be3e

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2019-16216?
CVE-2019-16216 refers to a vulnerability in the Zulip server before version 2.0.5 that incompletely validates the MIME types of uploaded files, allowing for a stored cross-site scripting attack.
How severe is CVE-2019-16216?
CVE-2019-16216 has a severity rating of 5.4, which is considered medium.
How does CVE-2019-16216 affect Zulip server?
CVE-2019-16216 affects Zulip server versions before 2.0.5 by allowing logged-in users to upload certain file types and mount a stored cross-site scripting attack on other logged-in users.
What is the fix for CVE-2019-16216?
To fix CVE-2019-16216, it is recommended to update the Zulip server to version 2.0.5 or later.
What is the CWE ID for CVE-2019-16216?
The CWE ID for CVE-2019-16216 is 79.

agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/remedy
agent/severity
agent/weakness
agent/author
agent/first-publish-date
agent/event
agent/description
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/zulip
canonical/zulip server
version/zulip server/1.8.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.