{"id":"CVE-2018-9999","details":"In Zulip Server versions before 1.7.2, there was an XSS issue with user uploads and the (default) LOCAL_UPLOADS_DIR storage backend.","modified":"2026-04-10T04:12:59.499074Z","published":"2018-04-18T08:29:00.890Z","references":[{"type":"ADVISORY","url":"https://blog.zulip.org/2018/04/12/zulip-1-7-2-released/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zulip/zulip","events":[{"introduced":"0"},{"fixed":"6bad5b661695f8796ce7e9a50f588b4da34e27c4"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.7.2"}]}}],"versions":["1.3.0","1.3.1","1.3.10","1.3.11","1.3.13","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.3.8","1.3.9","1.4.0","1.5.0","1.6.0","1.7.0","1.7.1","enterprise-1.1.5","enterprise-1.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-9999.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}