Crafted link in Zulip message can cause disclosure of credentials
CVE-2022-35962

8HIGH

Key Information:

Vendor: Zulip
Status: Zulip-mobile
Vendor: CVE Published:; 29 August 2022

🔔 Create Zulip Vulnerability Alert

What is CVE-2022-35962?

Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. In Zulip Mobile through version 27.189, a crafted link in a message sent by an authenticated user could lead to credential disclosure if a user follows the link. A patch was released in version 27.190.

Affected Version(s)

zulip-mobile < 27.190

References

https://github.com/zulip/zulip-mobile/security/advisories...

x_refsource_CONFIRM

https://blog.zulip.com/2022/08/24/zulip-server-5-6-securi...

x_refsource_MISC

https://github.com/zulip/zulip-mobile/releases/tag/v27.190

x_refsource_MISC

CVSS V3.1

Score:

8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 29, 2022
Vulnerability Reserved
Jul 15, 2022

.

CVE-2022-35962 : Crafted link in Zulip message can cause disclosure of credentials