Multiple vulnerabilities in Zulip Server



Published: 2020-04-28
Risk Low
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2020-9445
CVE-2020-9444
CVE-2020-10935
CWE-ID CWE-79
CWE-1022
Exploitation vector Network
Public exploit Public exploit code for vulnerability #3 is available.
Vulnerable software
Subscribe
Zulip Server
Web applications / Other software

Vendor Zulip

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Cross-site scripting

EUVDB-ID: #VU27391

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9445

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "modal_link" feature in the Markdown functionality. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Zulip Server: 1.1.5 - 2.1.2

External links

http://blog.zulip.org/2020/04/01/zulip-server-2-1-3-security-release/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Reverse Tabnabbing

EUVDB-ID: #VU27392

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-9444

CWE-ID: CWE-1022 - Use of Web Link to Untrusted Target with window.opener Access

Exploit availability: No

Description

The vulnerability allows a remote attacker to modify certain properties on the affected system. 

The vulnerability exist due to Reverse Tabnabbing in the Markdown functionality. A remote attacker can modify the location property to automatically redirect the user to a malicious site.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Zulip Server: 1.1.5 - 2.1.2

External links

http://blog.zulip.org/2020/04/01/zulip-server-2-1-3-security-release/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Stored cross-site scripting

EUVDB-ID: #VU27393

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-10935

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in a Markdown link. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Zulip Server: 2.1.2

External links

http://blog.zulip.org/2020/04/01/zulip-server-2-1-3-security-release/
http://www.coresecurity.com/advisories/zulip-account-takeover-stored-xss


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###