Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Zulip_server
(Zulip)| Repositories | https://github.com/zulip/zulip |
| #Vulnerabilities | 31 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-04-20 | CVE-2020-9444 | Zulip Server before 2.1.3 allows reverse tabnabbing via the Markdown functionality. | Zulip_server | 6.1 | ||
| 2020-04-20 | CVE-2020-9445 | Zulip Server before 2.1.3 allows XSS via the modal_link feature in the Markdown functionality. | Zulip_server | 6.1 | ||
| 2020-08-21 | CVE-2020-12759 | Zulip Server before 2.1.5 allows reflected XSS via the Dropbox webhook. | Zulip_server | 6.1 | ||
| 2020-08-21 | CVE-2020-14194 | Zulip Server before 2.1.5 allows reverse tabnapping via a topic header link. | Zulip_server | 5.4 | ||
| 2020-08-21 | CVE-2020-14215 | Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrator role to invitations. | Zulip_server | 7.5 | ||
| 2020-08-21 | CVE-2020-15070 | Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres database, and chose to write a crafted custom profile field value. | Zulip_server | 8.8 | ||
| 2021-04-15 | CVE-2021-30477 | An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to. | Zulip_server | 4.3 | ||
| 2021-04-15 | CVE-2021-30478 | An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the same Zulip installation. | Zulip_server | 4.3 | ||
| 2021-04-15 | CVE-2021-30479 | An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization. | Zulip_server | 5.3 | ||
| 2021-04-15 | CVE-2021-30487 | In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation. | Zulip_server | 2.7 |