Zulip
by Zulip
Source repositories
CVEs (51)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-3967 | 0.00 | — | 0.01 | Feb 26, 2022 | Improper Access Control in GitHub repository zulip/zulip prior to 4.10. | |||
| CVE-2022-21706 | 0.00 | — | 0.01 | Feb 25, 2022 | Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which hosts multiple organizations is vulnerable to an attack… | |||
| CVE-2021-43799 | 0.00 | — | 0.05 | Jan 25, 2022 | Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which… | |||
| CVE-2021-3866 | 0.00 | — | 0.01 | Jan 20, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository zulip/zulip more than and including 44f935695d452cc3fb16845a0c6af710438b153d and prior to 3eb2791c3e9695f7d37ffe84e0c2184fae665cb6. | |||
| CVE-2021-43791 | 0.00 | — | 0.01 | Dec 2, 2021 | Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A… | |||
| CVE-2021-41115 | 0.00 | — | 0.02 | Oct 7, 2021 | Zulip is an open source team chat server. In affected versions Zulip allows organization administrators on a server to configure "linkifiers" that automatically create links from messages that users send, detected via arbitrary regular expressions. Malicious organization… | |||
| CVE-2020-10857 | 0.00 | — | 0.03 | Feb 5, 2021 | Zulip Desktop before 5.0.0 improperly uses shell.openExternal and shell.openItem with untrusted content, leading to remote code execution. | |||
| CVE-2020-10858 | 0.00 | — | 0.01 | Feb 5, 2021 | Zulip Desktop before 5.0.0 allows attackers to perform recording via the webcam and microphone due to a missing permission request handler. | |||
| CVE-2020-24582 | 0.00 | — | 0.01 | Sep 10, 2020 | Zulip Desktop before 5.4.3 allows XSS because string escaping is mishandled during composition of the HTML for the user interface. | |||
| CVE-2020-12637 | 0.00 | — | 0.01 | May 9, 2020 | Zulip Desktop before 5.2.0 has Missing SSL Certificate Validation because all validation was inadvertently disabled during an attempt to recognize the ignoreCerts option. | |||
| CVE-2020-9443 | 0.00 | — | 0.01 | Mar 18, 2020 | Zulip Desktop before 4.0.3 loaded untrusted content in an Electron webview with web security disabled, which can be exploited for XSS in a number of ways. This especially affects Zulip Desktop 2.3.82. |
- CVE-2021-3967Feb 26, 2022risk 0.00cvss —epss 0.01
Improper Access Control in GitHub repository zulip/zulip prior to 4.10.
- CVE-2022-21706Feb 25, 2022risk 0.00cvss —epss 0.01
Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which hosts multiple organizations is vulnerable to an attack…
- CVE-2021-43799Jan 25, 2022risk 0.00cvss —epss 0.05
Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which…
- CVE-2021-3866Jan 20, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository zulip/zulip more than and including 44f935695d452cc3fb16845a0c6af710438b153d and prior to 3eb2791c3e9695f7d37ffe84e0c2184fae665cb6.
- CVE-2021-43791Dec 2, 2021risk 0.00cvss —epss 0.01
Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A…
- CVE-2021-41115Oct 7, 2021risk 0.00cvss —epss 0.02
Zulip is an open source team chat server. In affected versions Zulip allows organization administrators on a server to configure "linkifiers" that automatically create links from messages that users send, detected via arbitrary regular expressions. Malicious organization…
- CVE-2020-10857Feb 5, 2021risk 0.00cvss —epss 0.03
Zulip Desktop before 5.0.0 improperly uses shell.openExternal and shell.openItem with untrusted content, leading to remote code execution.
- CVE-2020-10858Feb 5, 2021risk 0.00cvss —epss 0.01
Zulip Desktop before 5.0.0 allows attackers to perform recording via the webcam and microphone due to a missing permission request handler.
- CVE-2020-24582Sep 10, 2020risk 0.00cvss —epss 0.01
Zulip Desktop before 5.4.3 allows XSS because string escaping is mishandled during composition of the HTML for the user interface.
- CVE-2020-12637May 9, 2020risk 0.00cvss —epss 0.01
Zulip Desktop before 5.2.0 has Missing SSL Certificate Validation because all validation was inadvertently disabled during an attempt to recognize the ignoreCerts option.
- CVE-2020-9443Mar 18, 2020risk 0.00cvss —epss 0.01
Zulip Desktop before 4.0.3 loaded untrusted content in an Electron webview with web security disabled, which can be exploited for XSS in a number of ways. This especially affects Zulip Desktop 2.3.82.
Page 3 of 3