Email verification not required
|Reported in||August, 2021|
|Weakness||CWE-1007: Insufficient Visual Distinction of Homoglyphs Presented to User|
Administrator invites regular user to workspace. After acceptance, invited user can change their role using this functionality.
- 3 users are in the same workspace (owner, regular user and invited user as admin)
- Regular user duplicates and configures the same email as invited user
- Following email configuration, regular user sends API request to confirm the change to their regular email
- Regular user can now promote themselves to administrator role
Users should be unable to avoid email verification.