Zulip Server prior to 2.1.3 allows XSS via the modal_link feature in the Markdown functionality.
zulip zulip server