CVE-2023-33186

Name of the Vulnerable Software and Affected Versions Zulip Server versions 7.0-beta1 through 7.0-beta2 and the main development branch from May 2, 2023 and later

Description The issue is related to a cross-site scripting vulnerability in tooltips on the message feed. An attacker who can send messages could maliciously craft a topic for the message, such that a victim who hovers the tooltip for that topic in their message feed triggers execution of JavaScript code controlled by the attacker.

Recommendations For Zulip Server versions 7.0-beta1 and 7.0-beta2, consider disabling tooltips on the message feed until a patch is available. For the main development branch from May 2, 2023 and later, restrict access to the message feed or avoid hovering over tooltips for topics from untrusted sources until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.