CVE-2019-16216
Zulip server before 2.0.5 (local uploads) and before 2.0.5 (S3 uploads) mishandled MIME type validation for uploaded files, enabling a stored XSS across logged-in users. On local uploads, the attack affects browsers without CSP support (e.g., IE11); on S3, the impact is limited to the configured ...