CVE-2024-36624
📋 TL;DR
Zulip 8.3 contains a cross-site scripting vulnerability in the copy_and_paste.js file that allows attackers to inject malicious scripts into web pages. This affects all users of Zulip 8.3 who view content containing crafted payloads. The vulnerability is in the client-side JavaScript code that handles copy/paste functionality.
💻 Affected Systems
- Zulip
📦 What is this software?
Zulip by Zulip
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, or redirect users to malicious sites, potentially leading to account compromise and data theft.
Likely Case
Limited session hijacking or credential theft from users who interact with malicious content, typically requiring user interaction with crafted messages.
If Mitigated
With proper content security policies and input validation, impact is limited to isolated client-side issues without server compromise.
🎯 Exploit Status
Exploitation requires user interaction (viewing malicious content) but the technical complexity is low with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.4 or apply commit e1029b59ede0c4f314c367ffa1ba2904ffaf6768
Vendor Advisory: https://github.com/zulip/zulip/commit/e1029b59ede0c4f314c367ffa1ba2904ffaf6768
Restart Required: Yes
Instructions:
1. Upgrade to Zulip 8.4 or later. 2. Alternatively, apply the specific commit e1029b59ede0c4f314c367ffa1ba2904ffaf6768 to your Zulip 8.3 installation. 3. Restart the Zulip server services.
🔧 Temporary Workarounds
Content Security Policy Enhancement
allImplement stricter Content Security Policy headers to restrict script execution from untrusted sources.
Input Sanitization Proxy
allDeploy a web application firewall or reverse proxy that sanitizes HTML/JavaScript in user content.
🧯 If You Can't Patch
- Disable or restrict user-generated content features that trigger the copy_and_paste.js functionality.
- Implement network segmentation to isolate Zulip instances from critical systems.
🔍 How to Verify
Check if Vulnerable:
Check if running Zulip version 8.3 by examining the version file or web interface. Review copy_and_paste.js line 90 for the vulnerable construct_copy_div function.Check Version:
cat /home/zulip/deployments/current/version.py | grep ZULIP_VERSIONVerify Fix Applied:
Verify the commit e1029b59ede0c4f314c367ffa1ba2904ffaf6768 is applied or upgrade to Zulip 8.4+. Test that malicious script injection via copy/paste functionality is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript execution errors in browser console logs
- Suspicious HTML patterns in user content logs
Network Indicators:
- Unexpected outbound connections from Zulip clients to external domains following copy/paste actions
SIEM Query:
source="zulip-access.log" AND (uri="*copy*" OR uri="*paste*") AND status=200