In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication (e.g., GitHub or Google SSO) in an organization that also allows password authentication could have their personal API key stolen by an unprivileged attacker, allowing nearly full access to the user's account.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-11-21T22:45:15

Updated: 2024-08-05T02:02:39.793Z

Reserved: 2019-11-13T00:00:00

Link: CVE-2019-18933

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-11-21T23:15:13.687

Modified: 2024-11-21T04:33:51.953

Link: CVE-2019-18933

cve-icon Redhat

No data.