{"id":"CVE-2019-16216","details":"Zulip server before 2.0.5 incompletely validated the MIME types of uploaded files. A user who is logged into the server could upload files of certain types to mount a stored cross-site scripting attack on other logged-in users. On a Zulip server using the default local uploads backend, the attack is only effective against browsers lacking support for Content-Security-Policy such as Internet Explorer 11. On a Zulip server using the S3 uploads backend, the attack is confined to the origin of the configured S3 uploads hostname and cannot reach the Zulip server itself.","modified":"2026-03-14T09:33:20.159034Z","published":"2019-09-18T12:15:10.990Z","references":[{"type":"ADVISORY","url":"https://blog.zulip.org/2019/09/11/zulip-server-2-0-5-security-release/"},{"type":"FIX","url":"https://github.com/zulip/zulip/commit/1195841dfb9aa26b3b0dabc6f05d72e4af25be3e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zulip/zulip","events":[{"introduced":"a6a5636a326d41c82a21f5fe2b26463162b37621"},{"fixed":"2bb3af1ade5bb3613dc88d44164abbe1230cd679"},{"fixed":"1195841dfb9aa26b3b0dabc6f05d72e4af25be3e"}],"database_specific":{"versions":[{"introduced":"1.8.0"},{"fixed":"2.0.5"}]}}],"versions":["1.8.0","1.9.0","1.9.0-rc2","1.9.0-rc3","2.0.0","2.0.0-rc1","2.0.1","2.0.2","2.0.3","2.0.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-16216.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}