This is an important security announcement for Zulip installations running the
main (development) branch of the Zulip server. The
main branch of Zulip Server, since
a commit merged on December 4th, was vulnerable to a stored cross-site scripting vulnerability in stream names. A malicious user with permission to create or rename streams could exploit this vulnerability to execute arbitrary JavaScript in other users’ browsers.
Self-hosted installations running official numbered releases (e.g. 4.8) are not affected, since this change did not make it into an official release.
- Alex, for the Zulip team