Zeroheight Account Creation Verification Bypass Vulnerability
Vulnerability
A vulnerability exists in Zeroheight (SaaS) in versions prior to 2025-06-13, where a legacy user creation API allowed accounts to be created without completing the required email verification. Although unverified accounts could not access product features, this bypassed the intended verification process, leading to unauthorized account creation. This issue could have facilitated the creation of spam or fake accounts, potentially impacting resource usage. No data exposure or unauthorized access to existing accounts was reported.
Impact
This vulnerability allows for the creation of accounts without proper verification, bypassing intended access controls. This could lead to an influx of fake or spam accounts, causing resource exhaustion. Additionally, such accounts could be used in social engineering or chained attack scenarios.
Remediation
Zeroheight has fixed this vulnerability by requiring a valid verification token for all account creation flows and enhancing validation checks before processing new registrations. Users should ensure they are on the latest version of the service.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.