Zulip Server prior to 2.1.3 allows XSS via a Markdown link, with resultant account takeover.
zulip zulip server