CVE-2023-33186

Cross-site scripting vulnerability in Zulip Server development branch via topic tooltip

Description

Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful. The main development branch of Zulip Server from May 2, 2023 and later, including beta versions 7.0-beta1 and 7.0-beta2, is vulnerable to a cross-site scripting vulnerability in tooltips on the message feed. An attacker who can send messages could maliciously craft a topic for the message, such that a victim who hovers the tooltip for that topic in their message feed triggers execution of JavaScript code controlled by the attacker.

Category

8.2
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.25%
Vendor Advisory github.com
Affected: zulip zulip
Published at:
Updated at:

References

Link Tags
https://github.com/zulip/zulip/security/advisories/GHSA-4r83-8f94-hrph vendor advisory
https://github.com/zulip/zulip/pull/25370 patch issue tracking
https://github.com/zulip/zulip/commit/03cfb3d9fe61c975d133121ec31a7357f0c9e18f
https://github.com/zulip/zulip/commit/3ca131743b00f42bad8edbac4ef92656d954c629 patch

Frequently Asked Questions

What is the severity of CVE-2023-33186?
CVE-2023-33186 has been scored as a high severity vulnerability.
How to fix CVE-2023-33186?
To fix CVE-2023-33186, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-33186 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-33186 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-33186?
CVE-2023-33186 affects zulip zulip.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.