CVE-2022-23656

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-23656
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23656.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-23656
Aliases
  • GHSA-fc77-h3jc-6mfv
Published
2022-03-02T20:25:10Z
Modified
2026-04-10T04:44:53.377232Z
Severity
  • 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Cross-site scripting vulnerability in Zulip Server
Details

Zulip is an open source team chat app. The main development branch of Zulip Server from June 2021 and later is vulnerable to a cross-site scripting vulnerability on the recent topics page. An attacker could maliciously craft a full name for their account and send messages to a topic with several participants; a victim who then opens an overflow tooltip including this full name on the recent topics page could trigger execution of JavaScript code controlled by the attacker. Users running a Zulip server from the main branch should upgrade from main (2022-03-01 or later) again to deploy this fix.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23656.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/zulip/zulip

Affected ranges

Type
GIT
Repo
https://github.com/zulip/zulip
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e090027adcbf62737d5b1f83a9618a9500a49321
Type
GIT
Repo
https://github.com/zulip/zulip
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e090027adcbf62737d5b1f83a9618a9500a49321

Affected versions

1.*
1.3.0
1.3.1
1.3.10
1.3.11
1.3.13
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.4.0
1.5.0
1.6.0
1.7.0
1.8.0
1.8.0-rc1
1.9.0
1.9.0-rc2
1.9.0-rc3
2.*
2.0.0
2.0.0-rc1
2.1-dev
2.1.0
2.1.0-rc1
2.2-dev
3.*
3.0
3.0-dev
3.0-rc1
3.0-rc2
4.*
4.0
4.0-dev
5.*
5.0-dev
enterprise-1.*
enterprise-1.1.5
enterprise-1.2.0
shared-0.*
shared-0.0.1
shared-0.0.2
shared-0.0.3
shared-0.0.4
shared-0.0.5
shared-0.0.6

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "2021-06-03"
            },
            {
                "fixed": "2022-03-01"
            }
        ]
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23656.json"