Vendor CVEs
Zulip
All CVEs
67 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-0910 | Hig | 0.57 | 8.8 | 0.01 | Nov 27, 2017 | In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm. | ||
| CVE-2026-25741 | Hig | 0.46 | 7.1 | 0.00 | Feb 26, 2026 | Zulip is an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to users with only organization member privileges. When the associated Stripe… | ||
| CVE-2017-0896 | Med | 0.42 | 6.5 | 0.01 | Jun 2, 2017 | Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured… | ||
| CVE-2018-9990 | Med | 0.40 | 6.1 | 0.01 | Apr 18, 2018 | In Zulip Server versions before 1.7.2, there was an XSS issue with stream names in topic typeahead. | ||
| CVE-2018-9987 | Med | 0.40 | 6.1 | 0.01 | Apr 18, 2018 | In Zulip Server versions 1.5.x, 1.6.x, and 1.7.x before 1.7.2, there was an XSS issue with muting notifications. | ||
| CVE-2018-9986 | Med | 0.40 | 6.1 | 0.01 | Apr 18, 2018 | In Zulip Server versions before 1.7.2, there were XSS issues with the frontend markdown processor. | ||
| CVE-2026-40300 | Med | 0.35 | 6.5 | 0.00 | May 12, 2026 | Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves", /api/v1/messages/{id}/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users'… | ||
| CVE-2018-9999 | Med | 0.35 | 5.4 | 0.01 | Apr 18, 2018 | In Zulip Server versions before 1.7.2, there was an XSS issue with user uploads and the (default) LOCAL_UPLOADS_DIR storage backend. | ||
| CVE-2026-26058 | Med | 0.33 | 6.1 | 0.00 | Apr 3, 2026 | Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user… | ||
| CVE-2017-0881 | Med | 0.28 | 4.3 | 0.01 | Mar 28, 2017 | An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to… | ||
| CVE-2026-25742 | Med | 0.27 | 5.3 | 0.00 | Apr 3, 2026 | Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments… | ||
| CVE-2025-25195 | Med | 0.21 | 4.3 | 0.00 | Feb 13, 2025 | Zulip is an open source team chat application. A weekly cron job (added in 50256f48314250978f521ef439cafa704e056539) demotes channels to being "inactive" after they have not received traffic for 180 days. However, upon doing so, an event was sent to all users in the… | ||
| CVE-2026-24050 | 0.00 | — | 0.00 | Feb 6, 2026 | Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were susceptible to stored XSS in group names or channel names. Exploiting these vulnerabilities required the user explicitly interacting with the… | |||
| CVE-2025-52559 | 0.00 | — | 0.00 | Jul 2, 2025 | Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL of a server shows a preview of what the email weekly digest would contain. This URL, though not the digest itself, contains a cross-site scripting (XSS)… | |||
| CVE-2025-47930 | 0.00 | — | 0.00 | May 15, 2025 | Zulip is an open-source team chat application. Starting in version 10.0 and prior to version 10.3, the "Who can create public channels" access control mechanism can be circumvented by creating a private or web-public channel, and then changing the channel privacy to public. A… | |||
| CVE-2025-31478 | 0.00 | — | 0.00 | Apr 16, 2025 | Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able to authenticate with a single-sign on authentication backend, meaning the organization places no restrictions on email address domains or… | |||
| CVE-2025-30369 | 0.00 | — | 0.00 | Mar 31, 2025 | Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an… | |||
| CVE-2025-30368 | 0.00 | — | 0.00 | Mar 31, 2025 | Zulip is an open-source team collaboration tool. The API for deleting an organization export is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of… | |||
| CVE-2025-27149 | 0.00 | — | 0.00 | Mar 31, 2025 | Zulip server provides an open-source team chat that helps teams stay productive and focused. Prior to 10.0, the data export to organization administrators feature in Zulip leaks private data. The collection of user-agent types identifying specific integrations or HTTP libraries… | |||
| CVE-2024-56136 | 0.00 | — | 0.01 | Jan 16, 2025 | Zulip server provides an open-source team chat that helps teams stay productive and focused. Zulip Server 7.0 and above are vulnerable to an information disclose attack, where, if a Zulip server is hosting multiple organizations, an unauthenticated user can make a request and… | |||
| CVE-2024-36612 | 0.00 | — | 0.01 | Nov 29, 2024 | Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the handling of popovers. | |||
| CVE-2024-36624 | 0.00 | — | 0.00 | Nov 29, 2024 | Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the construct_copy_div function in copy_and_paste.js. | |||
| CVE-2024-36625 | 0.00 | — | 0.00 | Nov 29, 2024 | Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the replace_emoji_with_text function in ui_util.ts. | |||
| CVE-2024-27286 | 0.00 | — | 0.01 | Mar 20, 2024 | Zulip is an open-source team collaboration tool. When a user moves a Zulip message, they have the option to move all messages in the topic, move only subsequent messages as well, or move just a single message. If the user chose to just move one message, and was moving it from a… | |||
| CVE-2024-21630 | 0.00 | — | 0.00 | Jan 25, 2024 | Zulip is an open-source team collaboration tool. A vulnerability in version 8.0 is similar to CVE-2023-32677, but applies to multi-use invitations, not single-use invitation links as in the prior CVE. Specifically, it applies when the installation has configured non-admins to be… | |||
| CVE-2023-47642 | 0.00 | — | 0.00 | Nov 16, 2023 | Zulip is an open-source team collaboration tool. It was discovered by the Zulip development team that active users who had previously been subscribed to a stream incorrectly continued being able to use the Zulip API to access metadata for that stream. As a result, users who had… | |||
| CVE-2023-32678 | 0.00 | — | 0.00 | Aug 25, 2023 | Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Users who used to be subscribed to a private stream and have been removed from it since retain the ability to edit messages/topics, move messages to other streams, and delete… | |||
| CVE-2023-33186 | 0.00 | — | 0.01 | May 30, 2023 | Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful. The main development branch of Zulip Server from May 2, 2023 and later, including beta versions 7.0-beta1 and… | |||
| CVE-2023-28623 | 0.00 | — | 0.01 | May 19, 2023 | Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only ones enabled in… | |||
| CVE-2023-32677 | 0.00 | — | 0.01 | May 19, 2023 | Zulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to limit who can add users to streams, and separately to limit who can invite users to the organization. In Zulip Server 6.1 and below, the UI which allows… | |||
| CVE-2023-22735 | 0.00 | — | 0.01 | Feb 7, 2023 | Zulip is an open-source team collaboration tool. In versions of zulip prior to commit `2f6c5a8` but after commit `04cf68b` users could upload files with arbitrary `Content-Type` which would be served from the Zulip hostname with `Content-Disposition: inline` and no… | |||
| CVE-2022-41914 | 0.00 | — | 0.01 | Nov 16, 2022 | Zulip is an open-source team collaboration tool. For organizations with System for Cross-domain Identity Management(SCIM) account management enabled, Zulip Server 5.0 through 5.6 checked the SCIM bearer token using a comparator that did not run in constant time. Therefore, it… | |||
| CVE-2022-36048 | 0.00 | — | 0.00 | Aug 31, 2022 | Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could… | |||
| CVE-2022-35962 | 0.00 | — | 0.01 | Aug 29, 2022 | Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. In Zulip Mobile through version 27.189, a crafted link in a message sent by an authenticated user could lead to credential disclosure if a user follows the link. A patch was released in… | |||
| CVE-2016-4427 | 0.00 | — | 0.01 | Jul 28, 2022 | In zulip before 1.3.12, deactivated users could access messages if SSO was enabled. | |||
| CVE-2016-4426 | 0.00 | — | 0.00 | Jul 28, 2022 | In zulip before 1.3.12, bot API keys were accessible to other users in the same realm. | |||
| CVE-2022-31168 | 0.00 | — | 0.01 | Jul 22, 2022 | Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server… | |||
| CVE-2022-31134 | 0.00 | — | 0.01 | Jul 12, 2022 | Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data" export. While this export is only accessible to… | |||
| CVE-2022-31017 | 0.00 | — | 0.01 | Jun 25, 2022 | Zulip is an open-source team collaboration tool. Versions 2.1.0 through and including 5.2 are vulnerable to a logic error. A stream configured as private with protected history, where new subscribers should not be allowed to see messages sent before they were subscribed, when… | |||
| CVE-2022-24751 | 0.00 | — | 0.01 | Mar 16, 2022 | Zulip is an open source group chat application. Starting with version 4.0 and prior to version 4.11, Zulip is vulnerable to a race condition during account deactivation, where a simultaneous access by the user being deactivated may, in rare cases, allow continued access by the… | |||
| CVE-2022-23656 | 0.00 | — | 0.01 | Mar 2, 2022 | Zulip is an open source team chat app. The `main` development branch of Zulip Server from June 2021 and later is vulnerable to a cross-site scripting vulnerability on the recent topics page. An attacker could maliciously craft a full name for their account and send messages to a… | |||
| CVE-2021-3967 | 0.00 | — | 0.01 | Feb 26, 2022 | Improper Access Control in GitHub repository zulip/zulip prior to 4.10. | |||
| CVE-2022-21706 | 0.00 | — | 0.01 | Feb 25, 2022 | Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which hosts multiple organizations is vulnerable to an attack… | |||
| CVE-2021-43799 | 0.00 | — | 0.05 | Jan 25, 2022 | Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which… | |||
| CVE-2021-3866 | 0.00 | — | 0.01 | Jan 20, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository zulip/zulip more than and including 44f935695d452cc3fb16845a0c6af710438b153d and prior to 3eb2791c3e9695f7d37ffe84e0c2184fae665cb6. | |||
| CVE-2021-43791 | 0.00 | — | 0.01 | Dec 2, 2021 | Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A… | |||
| CVE-2021-41115 | 0.00 | — | 0.02 | Oct 7, 2021 | Zulip is an open source team chat server. In affected versions Zulip allows organization administrators on a server to configure "linkifiers" that automatically create links from messages that users send, detected via arbitrary regular expressions. Malicious organization… | |||
| CVE-2021-30479 | 0.00 | — | 0.01 | Apr 14, 2021 | An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization. | |||
| CVE-2021-30478 | 0.00 | — | 0.01 | Apr 14, 2021 | An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other… | |||
| CVE-2021-30477 | 0.00 | — | 0.01 | Apr 14, 2021 | An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to… |
- risk 0.57cvss 8.8epss 0.01
In Zulip Server before 1.7.1, on a server with multiple realms, a vulnerability in the invitation system lets an authorized user of one realm on the server create a user account on any other realm.
- risk 0.46cvss 7.1epss 0.00
Zulip is an open-source team collaboration tool. Prior to commit bf28c82dc9b1f630fa8e9106358771b20a0040f7, the API endpoint for creating a card update session during an upgrade flow was accessible to users with only organization member privileges. When the associated Stripe…
- risk 0.42cvss 6.5epss 0.01
Zulip Server 1.5.1 and below suffer from an error in the implementation of the invite_by_admins_only setting in the Zulip group chat application server that allowed an authenticated user to invite other users to join a Zulip organization even if the organization was configured…
- risk 0.40cvss 6.1epss 0.01
In Zulip Server versions before 1.7.2, there was an XSS issue with stream names in topic typeahead.
- risk 0.40cvss 6.1epss 0.01
In Zulip Server versions 1.5.x, 1.6.x, and 1.7.x before 1.7.2, there was an XSS issue with muting notifications.
- risk 0.40cvss 6.1epss 0.01
In Zulip Server versions before 1.7.2, there were XSS issues with the frontend markdown processor.
- risk 0.35cvss 6.5epss 0.00
Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves", /api/v1/messages/{id}/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users'…
- risk 0.35cvss 5.4epss 0.01
In Zulip Server versions before 1.7.2, there was an XSS issue with user uploads and the (default) LOCAL_UPLOADS_DIR storage backend.
- risk 0.33cvss 6.1epss 0.00
Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user…
- risk 0.28cvss 4.3epss 0.01
An error in the implementation of an autosubscribe feature in the check_stream_exists route of the Zulip group chat application server before 1.4.3 allowed an authenticated user to subscribe to a private stream that should have required an invitation from an existing member to…
- risk 0.27cvss 5.3epss 0.00
Zulip is an open-source team collaboration tool. Prior to version 11.6, Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, even after spectator access (enable_spectator_access / WEB_PUBLIC_STREAMS_ENABLED) is disabled, attachments…
- risk 0.21cvss 4.3epss 0.00
Zulip is an open source team chat application. A weekly cron job (added in 50256f48314250978f521ef439cafa704e056539) demotes channels to being "inactive" after they have not received traffic for 180 days. However, upon doing so, an event was sent to all users in the…
- CVE-2026-24050Feb 6, 2026risk 0.00cvss —epss 0.00
Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were susceptible to stored XSS in group names or channel names. Exploiting these vulnerabilities required the user explicitly interacting with the…
- CVE-2025-52559Jul 2, 2025risk 0.00cvss —epss 0.00
Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL of a server shows a preview of what the email weekly digest would contain. This URL, though not the digest itself, contains a cross-site scripting (XSS)…
- CVE-2025-47930May 15, 2025risk 0.00cvss —epss 0.00
Zulip is an open-source team chat application. Starting in version 10.0 and prior to version 10.3, the "Who can create public channels" access control mechanism can be circumvented by creating a private or web-public channel, and then changing the channel privacy to public. A…
- CVE-2025-31478Apr 16, 2025risk 0.00cvss —epss 0.00
Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able to authenticate with a single-sign on authentication backend, meaning the organization places no restrictions on email address domains or…
- CVE-2025-30369Mar 31, 2025risk 0.00cvss —epss 0.00
Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an…
- CVE-2025-30368Mar 31, 2025risk 0.00cvss —epss 0.00
Zulip is an open-source team collaboration tool. The API for deleting an organization export is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of…
- CVE-2025-27149Mar 31, 2025risk 0.00cvss —epss 0.00
Zulip server provides an open-source team chat that helps teams stay productive and focused. Prior to 10.0, the data export to organization administrators feature in Zulip leaks private data. The collection of user-agent types identifying specific integrations or HTTP libraries…
- CVE-2024-56136Jan 16, 2025risk 0.00cvss —epss 0.01
Zulip server provides an open-source team chat that helps teams stay productive and focused. Zulip Server 7.0 and above are vulnerable to an information disclose attack, where, if a Zulip server is hosting multiple organizations, an unauthenticated user can make a request and…
- CVE-2024-36612Nov 29, 2024risk 0.00cvss —epss 0.01
Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the handling of popovers.
- CVE-2024-36624Nov 29, 2024risk 0.00cvss —epss 0.00
Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the construct_copy_div function in copy_and_paste.js.
- CVE-2024-36625Nov 29, 2024risk 0.00cvss —epss 0.00
Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the replace_emoji_with_text function in ui_util.ts.
- CVE-2024-27286Mar 20, 2024risk 0.00cvss —epss 0.01
Zulip is an open-source team collaboration tool. When a user moves a Zulip message, they have the option to move all messages in the topic, move only subsequent messages as well, or move just a single message. If the user chose to just move one message, and was moving it from a…
- CVE-2024-21630Jan 25, 2024risk 0.00cvss —epss 0.00
Zulip is an open-source team collaboration tool. A vulnerability in version 8.0 is similar to CVE-2023-32677, but applies to multi-use invitations, not single-use invitation links as in the prior CVE. Specifically, it applies when the installation has configured non-admins to be…
- CVE-2023-47642Nov 16, 2023risk 0.00cvss —epss 0.00
Zulip is an open-source team collaboration tool. It was discovered by the Zulip development team that active users who had previously been subscribed to a stream incorrectly continued being able to use the Zulip API to access metadata for that stream. As a result, users who had…
- CVE-2023-32678Aug 25, 2023risk 0.00cvss —epss 0.00
Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Users who used to be subscribed to a private stream and have been removed from it since retain the ability to edit messages/topics, move messages to other streams, and delete…
- CVE-2023-33186May 30, 2023risk 0.00cvss —epss 0.01
Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful. The main development branch of Zulip Server from May 2, 2023 and later, including beta versions 7.0-beta1 and…
- CVE-2023-28623May 19, 2023risk 0.00cvss —epss 0.01
Zulip is an open-source team collaboration tool with unique topic-based threading. In the event that 1: `ZulipLDAPAuthBackend` and an external authentication backend (any aside of `ZulipLDAPAuthBackend` and `EmailAuthBackend`) are the only ones enabled in…
- CVE-2023-32677May 19, 2023risk 0.00cvss —epss 0.01
Zulip is an open-source team collaboration tool with unique topic-based threading. Zulip administrators can configure Zulip to limit who can add users to streams, and separately to limit who can invite users to the organization. In Zulip Server 6.1 and below, the UI which allows…
- CVE-2023-22735Feb 7, 2023risk 0.00cvss —epss 0.01
Zulip is an open-source team collaboration tool. In versions of zulip prior to commit `2f6c5a8` but after commit `04cf68b` users could upload files with arbitrary `Content-Type` which would be served from the Zulip hostname with `Content-Disposition: inline` and no…
- CVE-2022-41914Nov 16, 2022risk 0.00cvss —epss 0.01
Zulip is an open-source team collaboration tool. For organizations with System for Cross-domain Identity Management(SCIM) account management enabled, Zulip Server 5.0 through 5.6 checked the SCIM bearer token using a comparator that did not run in constant time. Therefore, it…
- CVE-2022-36048Aug 31, 2022risk 0.00cvss —epss 0.00
Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could…
- CVE-2022-35962Aug 29, 2022risk 0.00cvss —epss 0.01
Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. In Zulip Mobile through version 27.189, a crafted link in a message sent by an authenticated user could lead to credential disclosure if a user follows the link. A patch was released in…
- CVE-2016-4427Jul 28, 2022risk 0.00cvss —epss 0.01
In zulip before 1.3.12, deactivated users could access messages if SSO was enabled.
- CVE-2016-4426Jul 28, 2022risk 0.00cvss —epss 0.00
In zulip before 1.3.12, bot API keys were accessible to other users in the same realm.
- CVE-2022-31168Jul 22, 2022risk 0.00cvss —epss 0.01
Zulip is an open source team chat tool. Due to an incorrect authorization check in Zulip Server 5.4 and earlier, a member of an organization could craft an API call that grants organization administrator privileges to one of their bots. The vulnerability is fixed in Zulip Server…
- CVE-2022-31134Jul 12, 2022risk 0.00cvss —epss 0.01
Zulip is an open-source team collaboration tool. Zulip Server versions 2.1.0 above have a user interface tool, accessible only to server owners and server administrators, which provides a way to download a "public data" export. While this export is only accessible to…
- CVE-2022-31017Jun 25, 2022risk 0.00cvss —epss 0.01
Zulip is an open-source team collaboration tool. Versions 2.1.0 through and including 5.2 are vulnerable to a logic error. A stream configured as private with protected history, where new subscribers should not be allowed to see messages sent before they were subscribed, when…
- CVE-2022-24751Mar 16, 2022risk 0.00cvss —epss 0.01
Zulip is an open source group chat application. Starting with version 4.0 and prior to version 4.11, Zulip is vulnerable to a race condition during account deactivation, where a simultaneous access by the user being deactivated may, in rare cases, allow continued access by the…
- CVE-2022-23656Mar 2, 2022risk 0.00cvss —epss 0.01
Zulip is an open source team chat app. The `main` development branch of Zulip Server from June 2021 and later is vulnerable to a cross-site scripting vulnerability on the recent topics page. An attacker could maliciously craft a full name for their account and send messages to a…
- CVE-2021-3967Feb 26, 2022risk 0.00cvss —epss 0.01
Improper Access Control in GitHub repository zulip/zulip prior to 4.10.
- CVE-2022-21706Feb 25, 2022risk 0.00cvss —epss 0.01
Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and above are vulnerable to insufficient access control with multi-use invitations. A Zulip Server deployment which hosts multiple organizations is vulnerable to an attack…
- CVE-2021-43799Jan 25, 2022risk 0.00cvss —epss 0.05
Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which…
- CVE-2021-3866Jan 20, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository zulip/zulip more than and including 44f935695d452cc3fb16845a0c6af710438b153d and prior to 3eb2791c3e9695f7d37ffe84e0c2184fae665cb6.
- CVE-2021-43791Dec 2, 2021risk 0.00cvss —epss 0.01
Zulip is an open source group chat application that combines real-time chat with threaded conversations. In affected versions expiration dates on the confirmation objects associated with email invitations were not enforced properly in the new account registration flow. A…
- CVE-2021-41115Oct 7, 2021risk 0.00cvss —epss 0.02
Zulip is an open source team chat server. In affected versions Zulip allows organization administrators on a server to configure "linkifiers" that automatically create links from messages that users send, detected via arbitrary regular expressions. Malicious organization…
- CVE-2021-30479Apr 14, 2021risk 0.00cvss —epss 0.01
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
- CVE-2021-30478Apr 14, 2021risk 0.00cvss —epss 0.01
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other…
- CVE-2021-30477Apr 14, 2021risk 0.00cvss —epss 0.01
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to…
Page 1 of 2