CVE Tools
Sign in

CVE-2023-22735

User uploads proxied from S3 lack `Content-Security-Policy` headers, may be served with `Content-Disposition: inline` in zulip

Published: Feb 7, 2023Updated: Nov 21, 2024 Sources: CVE List NVDCWE-436
NVD MITRE
4.4CVSSMEDIUM
EPSS Score
0.5%
Top 60.4%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Zulip is an open-source team collaboration tool. In versions of zulip prior to commit `2f6c5a8` but after commit `04cf68b` users could upload files with arbitrary `Content-Type` which would be served from the Zulip hostname with `Content-Disposition: inline` and no `Content-Security-Policy` header, allowing them to trick other users into executing arbitrary Javascript in the context of the Zulip application. Among other things, this enables session theft. Only deployments which use the S3 storage (not the local-disk storage) are affected, and only deployments which deployed commit 04cf68b45ebb5c03247a0d6453e35ffc175d55da, which has only been in `main`, not any numbered release. Users affected should upgrade from main again to deploy this fix. Switching from S3 storage to the local-disk storage would nominally mitigate this, but is likely more involved than upgrading to the latest `main` which addresses the issue.

CVSS Vector Breakdown

AV:NAC:HPR:LUI:RS:CC:LI:LA:N
Exploitability
AV:NAttack Vector
Network
AC:HAttack Complexity
High
PR:LPrivileges Required
Low
UI:RUser Interaction
Required
Scope
S:CScope
Changed
Impact
C:LConfidentiality
Low
I:LIntegrity
Low
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-436

Affected Products

zulip serverzulip
On-premWeb App
Enterprise Software / collaboration-groupware
zulipzulip
On-premWeb App
Enterprise Software / collaboration-groupware
zuliposs-projectEnterprise Softwareaka zulip

Exploitability

Official Patch Available

References

https://github.com/zulip/zulip/commit/04cf68b45ebb5c03247a0d6453e35ffc175d55da
github.com
https://github.com/zulip/zulip/commit/2f6c5a883e106aa82a570d3d1f243993284b70f3
github.com
https://github.com/zulip/zulip/security/advisories/GHSA-wm83-3764-5wqh
github.com
and 1 more references View all →

Timeline

Published
Feb 7, 2023
Last Updated
Nov 21, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2023-22735 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows