Stored Cross-Site Scripting Vulnerability in Zulip Server by Zulip
CVE-2019-16216

5.4MEDIUM

Key Information:

Vendor

Zulip

Status
Zulip Server
Vendor
CVE Published:
18 September 2019

What is CVE-2019-16216?

The Zulip server prior to version 2.0.5 fails to fully validate the MIME types of uploaded files, potentially enabling logged-in users to carry out stored cross-site scripting attacks. This vulnerability primarily affects browsers lacking support for Content-Security-Policy, such as Internet Explorer 11, when using the default local uploads backend. However, if the S3 uploads backend is used, the attack is limited to the configured S3 uploads hostname, mitigating the risk to the Zulip server itself.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://blog.zulip.org/2019/09/11/zulip-server-2-0-5-secu...
x_refsource_CONFIRM
https://github.com/zulip/zulip/commit/1195841dfb9aa26b3b0...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.