CVE-2022-23656

Name of the Vulnerable Software and Affected Versions Zulip Server versions from June 2021 through main branch before 2022-03-01

Description The issue affects the recent topics page of Zulip Server, where an attacker could exploit a cross-site scripting vulnerability by crafting a malicious full name for their account and sending messages to a topic with multiple participants. If a victim opens an overflow tooltip including this full name, it could trigger the execution of JavaScript code controlled by the attacker.

Recommendations For Zulip Server versions from June 2021 through main branch before 2022-03-01, upgrade from main to a version 2022-03-01 or later to deploy the fix. As a temporary workaround, consider restricting access to the recent topics page or disabling the overflow tooltip feature until the upgrade is applied.