Admin can update workspace status of another admin
April 8, 2021
|Reported at||April 3, 2021|
|Weakness||CWE-285: Improper Authorization|
The malicious admin can update workspace status from another admin only if they are both admins in the same workspace. The attacker can not delete the admin or do any other unallowed action. The owner of the workspace can undo the action of malicious admin.
Step by step - Scenario
- Three users are in the same workspace - Carol (owner), Alice (admin), Bob (admin)
- Using request for update workspace status Alice will change Bob's workspace status
Only the workspace owner can change the workspace status of the admin.