First published: Wed Mar 02 2022(Updated: )
Zulip is an open source team chat app. The `main` development branch of Zulip Server from June 2021 and later is vulnerable to a cross-site scripting vulnerability on the recent topics page. An attacker could maliciously craft a full name for their account and send messages to a topic with several participants; a victim who then opens an overflow tooltip including this full name on the recent topics page could trigger execution of JavaScript code controlled by the attacker. Users running a Zulip server from the main branch should upgrade from main (2022-03-01 or later) again to deploy this fix.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Zulip Zulip Server | >=2021-06-03<2022-03-01 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-23656 is a cross-site scripting vulnerability in Zulip Server.
The vulnerability in CVE-2022-23656 allows an attacker to craft a malicious full name and send messages to a topic in Zulip Server, leading to potential cross-site scripting attacks.
The severity of CVE-2022-23656 is medium with a CVSS score of 5.4.
To fix the vulnerability in CVE-2022-23656, it is recommended to update Zulip Server to a version after June 2021 and apply the necessary patches.
More information about CVE-2022-23656 can be found in the Zulip GitHub commit and security advisories: [GitHub Commit](https://github.com/zulip/zulip/commit/e090027adcbf62737d5b1f83a9618a9500a49321), [GitHub Security Advisories](https://github.com/zulip/zulip/security/advisories/GHSA-fc77-h3jc-6mfv).