How severe is CVE-2022-36048?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.3 out of 10.

What type of vulnerability is CVE-2022-36048?

This is classified as CWE-436, which is a common weakness in software security.

CVE-2022-36048 - MEDIUM Severity | CVSS 4.3

Vulnerability Description

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. When displaying messages with embedded remote images, Zulip normally loads the image preview via a go-camo proxy server. However, an attacker who can send messages could include a crafted URL that tricks the server into embedding a remote image reference directly. This could allow the attacker to infer the viewer’s IP address and browser fingerprinting information. This vulnerability is fixed in Zulip Server 5.6. Zulip organizations with image and link previews [disabled](https://zulip.com/help/allow-image-link-previews) are not affected.

Related Vulnerabilities

CVE-2023-22735

MEDIUM

CVSS:4.6(Medium)

Zulip is an open-source team collaboration tool. In versions of zulip prior to commit `2f6c5a8` but after commit `04cf68b` users could upload files with arbitrary `Content-Type` which would be served ...

CWE-4362023

CVE-2023-45715

LOW

CVSS:3.5(Low)

The console may experience a service interruption when processing file names with invalid characters.

CWE-4362023

CVE-2024-2004

LOW

CVSS:3.5(Low)

When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protoco...

CWE-4362024

CVE-2023-30541

MEDIUM

CVSS:5.3(Medium)

OpenZeppelin Contracts is a library for secure smart contract development. A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. ...

CWE-4362023

CVE-2024-3386

MEDIUM

CVSS:5.3(Medium)

An incorrect string comparison vulnerability in Palo Alto Networks PAN-OS software prevents Predefined Decryption Exclusions from functioning as intended. This can cause traffic destined for domains t...

CWE-4362024

CVE-2025-24013

MEDIUM

CVSS:5.3(Medium)

CodeIgniter is a PHP full-stack web framework. Prior to 4.5.8, CodeIgniter lacked proper header validation for its name and value. The potential attacker can construct deliberately malformed headers w...

CWE-4362025