CRITICAL🇵🇱 Wersja polska

CVE-2019-18933

CVSS 9.8v3.1pub. 2019-11-21upd. 2024-11-21

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication (e.g., GitHub or Google SSO) in an organization that also allows password authentication could have their personal API key stolen by an unprivileged attacker, allowing nearly full access to the user's account.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Zulip Server

    APP
    Zulip
    1.7.0 – 2.0.7 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-31478HIGH8.2ten sam produkt

Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limi...

CVE-2024-36612HIGH7.5ten sam produkt

Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the handling of popovers.

CVE-2023-33186HIGH8.2ten sam produkt

Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of em...

CVE-2022-21706HIGH7.2ten sam produkt

Zulip is an open-source team collaboration tool with topic-based threading. Zulip Server version 2.0.0 and abo...

CVE-2020-15070HIGH8.8ten sam produkt

Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to th...