CVE-2021-3866: 
NixOS vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was identified in the Zulip server's main branch, tracked as CVE-2021-3866. The vulnerability affected installations running the main (development) branch between December 4th, 2021, and January 15th, 2022. This security issue was specifically present in the stream names functionality of Zulip server versions from commit 44f935695d452cc3fb16845a0c6af710438b153d up to commit 3eb2791c3e9695f7d37ffe84e0c2184fae665cb6. The vulnerability was discovered by Abdul Muhaimin and was not present in any official releases (Zulip Blog).

The vulnerability stemmed from incorrect HTML escaping in the recipient_row.hbs template. The issue was introduced when extra braces were added while intending to add whitespace control, resulting in a triple-brace syntax that bypassed string escaping in Handlebars templating system (GitHub Commit).

The vulnerability allowed malicious users with permissions to create or rename streams to execute arbitrary JavaScript code in other users' browsers. After an audit of access logs on Zulip Cloud, it was verified that this vulnerability was not exploited during the period it was active (Zulip Blog).

For affected installations running the main branch, the recommended mitigation is to immediately upgrade to the latest version of the main branch. Since this vulnerability was not present in any released version of Zulip Server, no new version release was required. Users can verify if their installation is affected by running a specific git command to check for the vulnerable commit (Zulip Blog).