{"id":"CVE-2022-35962","summary":"Crafted link in Zulip message can cause disclosure of credentials","details":"Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. In Zulip Mobile through version 27.189, a crafted link in a message sent by an authenticated user could lead to credential disclosure if a user follows the link. A patch was released in version 27.190.","aliases":["GHSA-4gj2-j32x-4wg5"],"modified":"2026-04-10T04:49:34.006599Z","published":"2022-08-29T14:50:09Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/35xxx/CVE-2022-35962.json","cwe_ids":["CWE-184","CWE-436"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/zulip/zulip-mobile/releases/tag/v27.190"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/35xxx/CVE-2022-35962.json"},{"type":"ADVISORY","url":"https://github.com/zulip/zulip-mobile/security/advisories/GHSA-4gj2-j32x-4wg5"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-35962"},{"type":"ARTICLE","url":"https://blog.zulip.com/2022/08/24/zulip-server-5-6-security-release/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zulip/zulip-mobile","events":[{"introduced":"0"},{"fixed":"44884c944796072554f3eb2acbdf12a392878f3e"}]}],"versions":["0.7.1","1.0.11","1.0.12","1.0.13","1.0.14","1.0.15","1.0.16","1.0.17","1.0.18","1.0.19","1.0.20","1.0.21","1.0.22","1.0.24","1.0.25","1.0.26","1.0.27","1.0.29","10.1.70","11.1.73","11.3.74","11.4.75","11.5.76","11.6.77","12.0.80","12.1.81","12.2.82","13.1.85","14.0.90","15.0.92","16.0.93","16.1.94","16.2.96","17.0.97","18.0.99","19.0.100","19.1.101","19.2.102","2.1.33","2.3.35","2.7.39","20.0.103","21.0.104","21.1.105","21.2.106","22.0.107","23.0.109","23.1.110","23.2.111","24.0.113","25.0.114","25.1.115","25.2.116","25.3.117","25.4.118","25.6.120","25.7.121","25.8.122","26.0.123","26.1.124","26.10.133","26.11.134","26.12.135","26.13.136","26.14.137","26.16.139","26.17.140","26.18.141","26.20.143","26.21.144","26.22.145","26.23.146","26.24.147","26.25.148","26.26.149","26.28.151","26.29.152","26.3.126","26.30.153","26.4.127","26.5.128","26.6.129","26.7.130","26.8.131","26.9.132","3.0.40","3.1.41","3.2.42","3.3.43","5.0.46","6.6.53","7.0.54","7.1.55","7.3.57","8.1.62","8.2.63","8.3.64","9.1.67","v27.154","v27.155","v27.156","v27.157","v27.158","v27.159","v27.162","v27.164","v27.166","v27.169","v27.170","v27.171","v27.172","v27.173","v27.174","v27.176","v27.177","v27.181","v27.182","v27.183","v27.184","v27.185","v27.186","v27.187","v27.188","v27.189"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35962.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}