Vulnerability Description
Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful. The main development branch of Zulip Server from May 2, 2023 and later, including beta versions 7.0-beta1 and 7.0-beta2, is vulnerable to a cross-site scripting vulnerability in tooltips on the message feed. An attacker who can send messages could maliciously craft a topic for the message, such that a victim who hovers the tooltip for that topic in their message feed triggers execution of JavaScript code controlled by the attacker.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zulip | Zulip Server | 7.0 |
Related Weaknesses (CWE)
References
- https://github.com/zulip/zulip/commit/03cfb3d9fe61c975d133121ec31a7357f0c9e18f
- https://github.com/zulip/zulip/commit/3ca131743b00f42bad8edbac4ef92656d954c629Patch
- https://github.com/zulip/zulip/pull/25370Issue TrackingPatch
- https://github.com/zulip/zulip/security/advisories/GHSA-4r83-8f94-hrphVendor Advisory
- https://github.com/zulip/zulip/commit/03cfb3d9fe61c975d133121ec31a7357f0c9e18f
- https://github.com/zulip/zulip/commit/3ca131743b00f42bad8edbac4ef92656d954c629Patch
- https://github.com/zulip/zulip/pull/25370Issue TrackingPatch
- https://github.com/zulip/zulip/security/advisories/GHSA-4r83-8f94-hrphVendor Advisory
FAQ
What is CVE-2023-33186?
CVE-2023-33186 is a vulnerability with a CVSS score of 8.2 (HIGH). Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful. The main development branch of...
How severe is CVE-2023-33186?
CVE-2023-33186 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-33186?
Check the references section above for vendor advisories and patch information. Affected products include: Zulip Zulip Server.