Timabbott

Name of the Vulnerable Software and Affected Versions: Zulip Server versions 2.0.0-rc1 through 10.3 Description: The issue concerns a cross-site scripting (XSS) vulnerability in Zulip Server, specifically affecting the "/digest/" URL, which displays a preview of the email weekly digest. This vulnerability is present in both topic names and channel names. Recommendations: For Zulip Server versions 2.0.0-rc1 through 10.3, update to version 10.4 to resolve the issue. As a temporary workaround, consider denying access to the "/digest/" URL until the update is applied.

Name of the Vulnerable Software and Affected Versions: Zulip versions 10.0 through 10.2 Description: The issue concerns the "Who can create public channels" access control mechanism in Zulip, which can be circumvented by creating a private or web-public channel and then changing the channel privacy to public. A similar technique can be used to create private channels without permission, though this requires either using the API or modifying the HTML. Recommendations: For versions 10.0 through 10.2, update to version 10.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zulip versions prior to 10.2 **Description** A bug in the Zulip server allows account creation without authenticating with the configured Single Sign-On (SSO) authentication backend in organizations where account creation is limited solely by SSO authentication and email/password authentication is disabled. This issue can be exploited to create an account without having an account with the configured SSO authentication backend. **Recommendations** For versions prior to 10.2, update to version 10.2 to resolve the issue. As a temporary workaround, consider requiring invitations to join the organization to prevent the vulnerability from being accessed.