CVE-2019-18933

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-18933

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18933.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-18933

Published

2019-11-21T23:15:13.687Z

Modified

2026-03-03T01:13:12.205635Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new user signup process meant that users who registered their account using social authentication (e.g., GitHub or Google SSO) in an organization that also allows password authentication could have their personal API key stolen by an unprivileged attacker, allowing nearly full access to the user's account.

References

Affected packages

Git / github.com/zulip/zulip

Affected ranges

Type: GIT
Repo: https://github.com/zulip/zulip
Events: Introduced

ff6a502200bf6fdc1796a5d919a7a66b6ec5a9c9

Fixed

1bf0a92eb6a4ae1e30aaab8ff13a3858085764f7

Affected versions

1.*

1.7.0

1.8.0

1.8.0-rc1

1.9.0

1.9.0-rc2

1.9.0-rc3

2.*

2.0.0

2.0.0-rc1

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18933.json"