CVE-2020-10935

Zulip Server before 2.1.3 allows XSS via a Markdown link, with resultant account takeover.
Source: NIST
CVE-2020-10935