zulip

Author SHA1 Message Date

Author	SHA1	Message	Date
Anders Kaseorg	3ca131743b	CVE-2023-33186: Fix topic tooltip cross-site scripting vulnerability. Commit `903dbda79b` (#25370) introduced a cross-site scripting vulnerability in the tooltips for the stream and topic in the recipient bar. An attacker who can send messages could maliciously craft a topic for the message, such that a victim who hovers the tooltip for that topic in their message feed triggers execution of JavaScript code controlled by the attacker. Signed-off-by: Anders Kaseorg <anders@zulip.com>	2023-05-29 16:35:49 -07:00

Anders Kaseorg

3ca131743b

CVE-2023-33186: Fix topic tooltip cross-site scripting vulnerability.

Commit 903dbda79b (#25370) introduced a
cross-site scripting vulnerability in the tooltips for the stream and
topic in the recipient bar.  An attacker who can send messages could
maliciously craft a topic for the message, such that a victim who
hovers the tooltip for that topic in their message feed triggers
execution of JavaScript code controlled by the attacker.

Signed-off-by: Anders Kaseorg <anders@zulip.com>

2023-05-29 16:35:49 -07:00

1 Commits