Shodan
Vulnerabilities
Vulnerable Software
Zulip:  >> Zulip Server  Security Vulnerabilities
CVE-2021-30477
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
CVSS Score
4.3
EPSS Score
0.002
Published
2021-04-15
CVE-2021-30478
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the same Zulip installation.
CVSS Score
4.3
EPSS Score
0.001
Published
2021-04-15
CVE-2021-30479
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-04-15
CVE-2021-30487
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
CVSS Score
2.7
EPSS Score
0.002
Published
2021-04-15
CVE-2020-12759
Zulip Server before 2.1.5 allows reflected XSS via the Dropbox webhook.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-08-21
CVE-2020-14194
Zulip Server before 2.1.5 allows reverse tabnapping via a topic header link.
CVSS Score
5.4
EPSS Score
0.002
Published
2020-08-21
CVE-2020-14215
Zulip Server before 2.1.5 has Incorrect Access Control because 0198_preregistrationuser_invited_as adds the administrator role to invitations.
CVSS Score
7.5
EPSS Score
0.002
Published
2020-08-21
CVE-2020-15070
Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres database, and chose to write a crafted custom profile field value.
CVSS Score
8.8
EPSS Score
0.007
Published
2020-08-21
CVE-2020-10935
Zulip Server before 2.1.3 allows XSS via a Markdown link, with resultant account takeover.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-04-20
CVE-2020-9444
Zulip Server before 2.1.3 allows reverse tabnabbing via the Markdown functionality.
CVSS Score
6.1
EPSS Score
0.002
Published
2020-04-20


Products
Pricing
Contact Us

Shodan ® - All rights reserved