CVE-2019-18933
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication (e.g., GitHub or Google SSO) in an organization that also allows password authentication could have their personal API key stolen by an unprivileged attacker, allowing nearly full access to the user's account.
En Zulip Server versiones 1.7.0 anteriores a 2.0.7, un error en el proceso nuevo registro de usuarios, significaba que usuarios que registraron su cuenta mediante autenticación social (por ejemplo, GitHub o Google SSO) en una organización que también permite autenticación de contraseña podrían tener su clave API personal robada por parte de un atacante no privilegiado, permitiendo un acceso casi completo a la cuenta del usuario.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-11-13 CVE Reserved
- 2019-11-21 CVE Published
- 2024-08-05 CVE Updated
- 2025-04-05 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/zulip/zulip/commit/0c2cc41d2e40807baa5ee2c72987ebfb64ea2eb6 | 2020-08-24 |
| URL | Date | SRC |
|---|---|---|
| https://blog.zulip.org/2019/11/21/zulip-2-0-7-security-release | 2020-08-24 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Zulip Search vendor "Zulip" | Zulip Server Search vendor "Zulip" for product "Zulip Server" | >= 1.7.0 < 2.0.7 Search vendor "Zulip" for product "Zulip Server" and version " >= 1.7.0 < 2.0.7" | - |
Affected
| ||||||