CVE-2021-3853: XSS in stream names
11 views
Skip to first unread message
Alex Vandiver
Jan 19, 2022, 1:08:53 AM1/19/22
to zulip-announce
This is an important security announcement for Zulip installations running the main (development) branch of the Zulip server. The main branch of Zulip Server, since a commit merged on December 4th, was vulnerable to a stored cross-site scripting vulnerability in stream names. A malicious user with permission to create or rename streams could exploit this vulnerability to execute arbitrary JavaScript in other users’ browsers.
Self-hosted installations running official numbered releases (e.g. 4.8) are not affected, since this change did not make it into an official release.
Self-hosted installations running official numbered releases (e.g. 4.8) are not affected, since this change did not make it into an official release.
You can read further details in the blog post.
- Alex, for the Zulip team
Reply all
Reply to author
Forward
0 new messages