In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication (e.g., GitHub or Google SSO) in an organization that also allows password authentication could have their personal API key stolen by an unprivileged attacker, allowing nearly full access to the user's account.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2019-11-21T22:45:15
Updated: 2024-08-05T02:02:39.793Z
Reserved: 2019-11-13T00:00:00
Link: CVE-2019-18933
Vulnrichment
No data.
NVD
Status : Modified
Published: 2019-11-21T23:15:13.687
Modified: 2024-11-21T04:33:51.953
Link: CVE-2019-18933
Redhat
No data.